Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi__.exe

Overview

General Information

Sample name:hesaphareketi__.exe
Analysis ID:1465903
MD5:9c2532282edd4f242a56d901d607aea5
SHA1:e17e70a3e2c181c2bb323869058dbb0638879f35
SHA256:46904554ed16878ec25cd13f60565f3a032a226d44994d4cdc672d056792f2c0
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi__.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\hesaphareketi__.exe" MD5: 9C2532282EDD4F242A56D901D607AEA5)
    • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jsc.exe (PID: 1196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • RegSvcs.exe (PID: 7264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7272 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • WerFault.exe (PID: 7416 cmdline: C:\Windows\system32\WerFault.exe -u -p 7116 -s 1128 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                13.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  13.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  13.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x304da:$s2: GetPrivateProfileString
                  • 0x2fbd1:$s3: get_OSFullName
                  • 0x31184:$s5: remove_Key
                  • 0x31311:$s5: remove_Key
                  • 0x32252:$s6: FtpWebRequest
                  • 0x32ffb:$s7: logins
                  • 0x3356d:$s7: logins
                  • 0x36250:$s7: logins
                  • 0x36330:$s7: logins
                  • 0x37c2e:$s7: logins
                  • 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
                  4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:07/02/24-08:31:31.384582
                    SID:2029927
                    Source Port:49703
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-08:31:32.008033
                    SID:2851779
                    Source Port:55916
                    Destination Port:51716
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-08:31:32.008033
                    SID:2855542
                    Source Port:55916
                    Destination Port:51716
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://ftp.normagroup.com.trAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}
                    Multi AV Scanner detection for domain / URL
                    Source: ftp.normagroup.com.trVirustotal: Detection: 10%Perma Link
                    Source: http://ftp.normagroup.com.trVirustotal: Detection: 10%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareketi__.exeVirustotal: Detection: 25%Perma Link
                    Source: hesaphareketi__.exeReversingLabs: Detection: 42%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: hesaphareketi__.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi__.exe PID: 7116, type: MEMORYSTR
                    Source: hesaphareketi__.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.pdbps source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbH source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.pdbIL_STUB_PInvoke source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.ni.pdb source: WERF96D.tmp.dmp.17.dr

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49703 -> 104.247.165.99:21
                    Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.7:55916 -> 104.247.165.99:51716
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:55916 -> 104.247.165.99:51716
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 104.247.165.99 ports 51716,62294,64014,61582,64707,61718,60017,51581,51223,54796,57829,50617,56263,1,2,53252,54600,59851,50486,50585,50763,50203,21,56529
                    Source: global trafficTCP traffic: 192.168.2.7:55916 -> 104.247.165.99:51716
                    Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.7:49703 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                    Source: RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                    Source: RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                    Source: hesaphareketi__.exe, 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCB5D7D4_2_00007FFAACCB5D7D
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCB05084_2_00007FFAACCB0508
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCBFD354_2_00007FFAACCBFD35
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCB14ED4_2_00007FFAACCB14ED
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCBCC444_2_00007FFAACCBCC44
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCBD4094_2_00007FFAACCBD409
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACCBAC084_2_00007FFAACCBAC08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B84A6013_2_02B84A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B89BB013_2_02B89BB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B83E4813_2_02B83E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B8CF2013_2_02B8CF20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B8419013_2_02B84190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0587BD1813_2_0587BD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0587DC5013_2_0587DC50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05878B9813_2_05878B98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05879AE813_2_05879AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05873F5813_2_05873F58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_058756E013_2_058756E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05872EF813_2_05872EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0587365013_2_05873650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0587500013_2_05875000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0587004013_2_05870040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067E44B813_2_067E44B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067EA8B813_2_067EA8B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067EA8A713_2_067EA8A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02B8D2D813_2_02B8D2D8
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7116 -s 1128
                    Source: hesaphareketi__.exeStatic PE information: No import functions for PE file found
                    Source: hesaphareketi__.exe, 00000004.00000002.1437732677.000001CEDAD00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIbomoboguxozopojusB vs hesaphareketi__.exe
                    Source: hesaphareketi__.exe, 00000004.00000000.1269301818.000001CEC0842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIdafafetuzibunoyorF vs hesaphareketi__.exe
                    Source: hesaphareketi__.exe, 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi__.exe
                    Source: hesaphareketi__.exeBinary or memory string: OriginalFilenameIdafafetuzibunoyorF vs hesaphareketi__.exe
                    Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/5@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\bc14644a-0253-4577-8958-45a52a5ed188Jump to behavior
                    Source: hesaphareketi__.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hesaphareketi__.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareketi__.exeVirustotal: Detection: 25%
                    Source: hesaphareketi__.exeReversingLabs: Detection: 42%
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeFile read: C:\Users\user\Desktop\hesaphareketi__.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi__.exe "C:\Users\user\Desktop\hesaphareketi__.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7116 -s 1128
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareketi__.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareketi__.exeStatic file information: File size 3026543 > 1048576
                    Source: hesaphareketi__.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: hesaphareketi__.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.pdbps source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbH source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Windows.Forms.pdbIL_STUB_PInvoke source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: Binary string: System.Core.ni.pdb source: WERF96D.tmp.dmp.17.dr
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeCode function: 4_2_00007FFAACD9026B push esp; retf 4810h4_2_00007FFAACD90312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067E44A8 push eax; iretd 13_2_067E44A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067E4000 pushfd ; retf 13_2_067E4005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_067E1EC7 push es; retf 13_2_067E1EC8
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi__.exe PID: 7116, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory allocated: 1CEC0B80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory allocated: 1CEDA530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199420Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199091Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198652Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198309Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197764Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196231Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195905Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195030Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2002Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7856Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199420Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199091Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198652Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198309Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197764Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196231Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1196015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195905Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1195030Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1194484Jump to behavior
                    Source: Amcache.hve.17.drBinary or memory string: VMware
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RegSvcs.exe, 0000000D.00000002.3746295241.0000000006130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: hesaphareketi__.exe, 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.17.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                    Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: hesaphareketi__.exe, -----.csReference to suspicious API methods: GetProcAddress(_EC72_ECBB_EE75_ECB6_EE25_EEB4_EE93_060A_EC75_EE38_EE44_06D9, _08DB_EE9B_EE35_EC84_EEF2_EEF9_0606_08DA_EEA4_EED9_EE4A_EE41_060F_06E0_EC73_08EB_0E71)
                    Source: hesaphareketi__.exe, -----.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_EE42_08E5_EE21_EEB2_EED2_EE92_ECBE.Length, 64u, out var _0616_0E73_06D8_EC7C_EE3F_0616)
                    Source: hesaphareketi__.exe, -----.csReference to suspicious API methods: LoadLibrary(_EC78_EE80_EEE8_EE55_08D7_0EBA_066A_EE03_0E71_EE42_EC99_EEDE_EE6E(_0E83_0608_EE78_0E64_0600._08E2_EE93_EC77_EC86_EE2C_EEA4_EE82_EEB1))
                    Source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D42008Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi__.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi__.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi__.exe PID: 7116, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7264, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi__.exe PID: 7116, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7264, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced29273f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hesaphareketi__.exe.1ced28ecfb0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi__.exe PID: 7116, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7264, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		21
                    Input Capture                    		141
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol21
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                    Process Injection                    		1
                    Credentials in Registry                    		1
                    Application Window Discovery                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets24
                    System Information Discovery                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareketi__.exe26%VirustotalBrowse
                    hesaphareketi__.exe42%ReversingLabsWin64.Spyware.Negasteal
                    hesaphareketi__.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    ftp.normagroup.com.tr11%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ftp.normagroup.com.tr11%VirustotalBrowse
                    http://ftp.normagroup.com.tr100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.normagroup.com.tr
                    		104.247.165.99
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ftp.normagroup.com.trRegSvcs.exe, 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3740958147.0000000002E55000.00000004.00000800.00020000.00000000.sdmptrue
                    • 11%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://upx.sf.netAmcache.hve.17.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/hesaphareketi__.exe, 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.247.165.99
                    		ftp.normagroup.com.trUnited States
                    		8100ASN-QUADRANET-GLOBALUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465903
                    Start date and time:2024-07-02 08:30:28 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 9s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:hesaphareketi__.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@9/5@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 82%
                    • Number of executed functions: 68
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    02:31:31API Interceptor11382935x Sleep call for process: RegSvcs.exe modified
                    02:31:40API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.247.165.99hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                        hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                            CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                              hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                    hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ftp.normagroup.com.trhesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ASN-QUADRANET-GLOBALUSnn7XSQfsNc.exeGet hashmaliciousGuLoaderBrowse
                                        • 147.78.240.182
                                        nn7XSQfsNc.exeGet hashmaliciousGuLoaderBrowse
                                        • 147.78.240.182
                                        xP1455Elxv.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 23.153.78.247
                                        gO6RAJaFXe.elfGet hashmaliciousMiraiBrowse
                                        • 23.153.31.217
                                        r2ye3b3z8R.elfGet hashmaliciousMiraiBrowse
                                        • 156.239.26.202
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.247.165.99
                                        RFQ678903423_PROD_HASUE_de_Mexico_ExportS.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                        • 64.188.26.202
                                        BNP DOC 12578945329763-7633562829.exeGet hashmaliciousRemcosBrowse
                                        • 104.223.119.206

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi__._1cfc9f95d0ac0ef7b4ea5d88dfd59ba3ea51acd_450e69c1_03aa1bc2-e93c-49cf-bd30-47bb52d92b80\Report.wer

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.0890052492341191
                                        Encrypted:false
                                        SSDEEP:192:ycnoNkMD0UnUFaWBe3ZFlnG7V/zuiFipZ24lO8QWXpZ:DoNkMwUnUFamwGhzuiFipY4lO8QW3
                                        MD5:2C7C91E97E69429C8CC872CEA1D2B69C
                                        SHA1:1AB7118D759DADFC6ABB87B4C0ED4508302B02BB
                                        SHA-256:01B95F31AA5D704C9123AC5798782245B9DCE06561C6B0FBC453655B000F3C0D
                                        SHA-512:DDC6BEE8419DBC6AE9803EDFFBFC34394705C2BD1645D0CC51DB18902840448C620072BE9EDF76F81EF6DDCE8C02FCE8EE8F8BF90C2FB5393A5B97A2D92E5F2F
                                        Malicious:false
                                        Reputation:low
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.7.5.4.8.7.2.0.5.5.3.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.7.5.4.8.8.4.0.8.6.5.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.a.a.1.b.c.2.-.e.9.3.c.-.4.9.c.f.-.b.d.3.0.-.4.7.b.b.5.2.d.9.2.b.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.7.7.3.4.8.9.-.c.e.7.6.-.4.f.c.b.-.a.8.8.6.-.e.7.1.e.8.1.4.c.0.a.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.h.e.s.a.p.h.a.r.e.k.e.t.i._._...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.d.a.f.a.f.e.t.u.z.i.b.u.n.o.y.o.r.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.c.-.0.0.0.1.-.0.0.1.4.-.4.9.2.5.-.c.c.7.5.4.9.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.4.3.a.a.3.2.3.2.1.5.5.6.c.c.1.6.5.4.1.1.0.3.8.9.f.f.a.9.1.9.a.0.0.0.0.0.0.0.0.!.0.0.0.0.e.1.7.e.7.0.a.3.e.2.c.1.8.1.c.2.b.b.3.2.3.8.6.9.0.5.8.d.b.b.0.6.3.8.8.7.9.f.3.5.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF96D.tmp.dmp

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Mini DuMP crash report, 16 streams, Tue Jul 2 06:31:27 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):456975
                                        Entropy (8bit):3.4450470225493715
                                        Encrypted:false
                                        SSDEEP:3072:2hE3b9AZumk2gZ9lFTV1CCqopA3+vL2X50JbGN4wNvwA6cSTkFJ303l:2A5AZuR2AqgA3QL4eKN9m
                                        MD5:8FCDF2B31494FA7D7B84F7F10240EAAE
                                        SHA1:B524EB38DB988A5F198616E9825599F9415CB656
                                        SHA-256:47D388C70A24680B82919B6E5E909481A2587B050F062FB2E889B85056653B02
                                        SHA-512:52529EC8D703A74BBE2267AFCB7E8382E727646D5B6CD94359D118EB6D037E7FA03AC57734F0F44B885C3085AFEA18C2066FA1781B27EA31670831811A14D49C
                                        Malicious:false
                                        Reputation:low
                                        Preview:MDMP..a..... ..........f............................4.......$...(...........L........T..............l.......8...........T...........p,...............<...........>..............................................................................eJ......T?......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBDF.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8878
                                        Entropy (8bit):3.712355598512624
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJUhHOVI6YNzIRigmfjqqpr389b6Tifw+m:R6lXJCOa6Y5IRigmfjqX6WfA
                                        MD5:E0DA1F17E21116D2AE90EBAB378D7FFC
                                        SHA1:65D48CFA8E1619C91844CAE45A590F91EF56B10C
                                        SHA-256:2FEF83B8AE23ECEC4BCB7A259B3E8EC56AECA6CF1B228FB94603A97777950101
                                        SHA-512:19E624FAC0CE2CB8EDD22E69091F7DDC970B54ADE03343F67EBEA89A3A189F4DDB8AD5507BCF2DC63854427BEC81970305B0EAEC0BF61A416EF6CBACA2E485B8
                                        Malicious:false
                                        Reputation:low
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.6.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC0F.tmp.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4794
                                        Entropy (8bit):4.521224792503525
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zsIJg771I9tKWpW8VYaYm8M4JKqNAF0yq85aoeJqUI8IR9d:uIjfOI72r7VqJNzweqZNR9d
                                        MD5:027BA74E5C3B8433EC4242655E0BA981
                                        SHA1:06A657DC2AC25902A4AA1171ABA448840EF43FF2
                                        SHA-256:13D974F49777533F73CB408941A512B670D55A4424493E196D89B9B02BC0ADCB
                                        SHA-512:FFB64D5BB0E532457650A1D37561A7EC5A7D4BA80B13568D167D9A781F0A667ACCBE2A25282B0B28D1600A666081A073656318F7BE520D048DC93FEF66E32FD5
                                        Malicious:false
                                        Reputation:low
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392974" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.417241958803592
                                        Encrypted:false
                                        SSDEEP:6144:1cifpi6ceLPL9skLmb0m2SWSPtaJG8nAgex285i2MMhA20X4WABlGuNL5+:Si582SWIZBk2MM6AFBZo
                                        MD5:16335895A8C3A9FEB08CB7608D39A558
                                        SHA1:B6E8B4ED5BC6ADF7286FD8D77888A8A1EE6F9CB3
                                        SHA-256:55096EC37DF8B5BBF46ED2A89F9EF707AB472D5BDDE349D3BDD69E84AE80F917
                                        SHA-512:D59DCBEE56B31B6502A5D62206E1499ED9EEF0DF5B4B45D94EEAC4EBDABCECA0D755E01125DEC5859F871B6F49AE77CF8E02C49087FC6A29ACDFB8189D27905A
                                        Malicious:false
                                        Reputation:low
                                        Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...wI...............................................................................................................................................................................................................................................................................................................................................].C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):4.502403216912425
                                        TrID:
                                        • Win64 Executable Console Net Framework (206006/5) 48.58%
                                        • Win64 Executable Console (202006/5) 47.64%
                                        • Win64 Executable (generic) (12005/4) 2.83%
                                        • Generic Win/DOS Executable (2004/3) 0.47%
                                        • DOS Executable Generic (2002/1) 0.47%
                                        File name:hesaphareketi__.exe
                                        File size:3'026'543 bytes
                                        MD5:9c2532282edd4f242a56d901d607aea5
                                        SHA1:e17e70a3e2c181c2bb323869058dbb0638879f35
                                        SHA256:46904554ed16878ec25cd13f60565f3a032a226d44994d4cdc672d056792f2c0
                                        SHA512:8a5f006da64a05929f2b46dd9c34fd30bc194b824368c7ac92c3ce24dd3ebb7928048f4a4335d97a367dd996114739ebeabed04f8f4582f63c2c97c8aee1ea6c
                                        SSDEEP:12288:AkTs0f7r4+CO04RDPolo5ve59+3kmh3rA46w7BMAy:AdKrXRDP6b7fZw7aAy
                                        TLSH:4EE51219B16B9E27FE9B0678E0D535F101FC9C6771F2A56FEF816CA448823BD4608172
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.B................ ....@...... ....................................`................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x400000
                                        Entrypoint Section:
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows cui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6682ACAB [Mon Jul 1 13:18:35 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:

                                        Entrypoint Preview

                                        Instruction
                                        dec ebp
                                        pop edx
                                        nop
                                        add byte ptr [ebx], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x9d4.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb3a60x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x94420x96004d3a1d2bf5052a74238d430efb8dbcc9False0.5840625data6.42529788752077IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xc0000x9d40xa008f16716fde04827bf044369de4b7901fFalse0.3109375data4.159395668571801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0xc0b80x398OpenPGP Public Key0.4891304347826087
                                        RT_VERSION0xc4500x398OpenPGP Public KeyEnglishUnited States0.4902173913043478
                                        RT_MANIFEST0xc7e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        07/02/24-08:31:31.384582TCP2029927ET TROJAN AgentTesla Exfil via FTP4970321192.168.2.7104.247.165.99
                                        07/02/24-08:31:32.008033TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil5591651716192.168.2.7104.247.165.99
                                        07/02/24-08:31:32.008033TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity5591651716192.168.2.7104.247.165.99

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 2, 2024 08:31:29.335886002 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:29.341936111 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:29.344525099 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:29.976588964 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:29.976878881 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:29.982034922 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.201163054 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.201338053 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:30.206216097 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.462807894 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.463068962 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:30.470136881 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.692195892 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.692419052 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:30.697746992 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.916644096 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:30.916959047 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:30.921892881 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:31.140937090 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:31.141149044 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:31.146143913 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:31.365328074 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:31.378616095 CEST5591651716192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:31.383824110 CEST5171655916104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:31.383954048 CEST5591651716192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:31.384582043 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:31.389401913 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:32.007783890 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:32.008033037 CEST5591651716192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:32.008083105 CEST5591651716192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:32.012880087 CEST5171655916104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:32.013381958 CEST5171655916104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:32.013437986 CEST5591651716192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:32.059031010 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:31:32.233309984 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:31:32.277816057 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:54.873507977 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:54.881119013 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.101444006 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.101931095 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.107094049 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.107161045 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.107234955 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.112150908 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.736399889 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.738193035 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743125916 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743159056 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743194103 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743204117 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743216038 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743242979 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743244886 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743282080 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743288040 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743290901 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743320942 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743350029 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743415117 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743424892 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743463993 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.743673086 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.743818998 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.748665094 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748677969 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748725891 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748776913 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748785973 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748795033 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.748801947 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.748842955 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.748867989 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.749044895 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.749330997 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.749332905 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.749533892 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.749650955 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.753567934 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.753977060 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.754105091 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.754247904 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.754806042 CEST6470755932104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:55.754853010 CEST5593264707192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:55.777895927 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:32:56.224015951 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:32:56.277873039 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:03.847776890 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:03.852647066 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.072108030 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.076212883 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.082521915 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.082637072 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.082731962 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.087559938 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.709253073 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.709523916 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714426994 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714481115 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714482069 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714490891 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714502096 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714513063 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714543104 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714569092 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714580059 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714603901 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714621067 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714653015 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714663029 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714685917 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714710951 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714724064 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.714735985 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.714755058 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719569921 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719583988 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719610929 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719630957 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719651937 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719690084 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719721079 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719762087 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719777107 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719786882 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719820023 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.719901085 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.719947100 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.720042944 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.720053911 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.720118046 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.720144987 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.720196962 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.720278025 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.720288038 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724456072 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724490881 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724586964 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724714041 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724771976 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724896908 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.724947929 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.725276947 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.725289106 CEST6401455933104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:04.725327969 CEST5593364014192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:04.762270927 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:05.195003033 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:05.247797966 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:11.594865084 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:11.604712963 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:11.823770046 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:11.824897051 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:11.829864025 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:11.829962015 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:11.830256939 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:11.835057974 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.076951027 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.077172995 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.077214003 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.077219963 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.077281952 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.077313900 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.082184076 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.082195044 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.082278967 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.082298040 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.082307100 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.082314968 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.082340956 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.082371950 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.086529016 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.086580038 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.086595058 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.086605072 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.086613894 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.086633921 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.086658955 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.086694002 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.086735964 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087151051 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087166071 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087192059 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087205887 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087269068 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087279081 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087286949 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087295055 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087310076 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087333918 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087383032 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087405920 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.087421894 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.087435007 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.091466904 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.091495991 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.091547012 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.091633081 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092070103 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092189074 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092200041 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092226982 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092272997 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092331886 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092346907 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092376947 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092776060 CEST5061755934104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.092823982 CEST5593450617192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:13.560667992 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:13.606396914 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:29.939088106 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:29.943953991 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.162985086 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.163665056 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.168544054 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.168744087 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.168812037 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.173583984 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.796581030 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.797127962 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.801991940 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802074909 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802086115 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802095890 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802104950 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802128077 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802135944 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802140951 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802167892 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802176952 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802186966 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802201033 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802215099 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802223921 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.802232027 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802251101 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.802263021 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.806905031 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.806925058 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.806934118 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.806946039 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.806963921 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.806987047 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.807003021 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.807106018 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.807135105 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.807146072 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.807167053 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.807236910 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.807282925 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.807305098 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.811763048 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.811815977 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.811861992 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.811947107 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812033892 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812042952 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812104940 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812165022 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812249899 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812710047 CEST6158255935104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.812760115 CEST5593561582192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.815740108 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.820663929 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:30.820730925 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:30.840428114 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:31.281188011 CEST2149703104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:31.325799942 CEST4970321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:31.467953920 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:31.468287945 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:31.473548889 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:31.697624922 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:31.697891951 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:31.702728987 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.139686108 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.140043020 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:32.145030022 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.368590117 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.368709087 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:32.374063015 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.599812984 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.600002050 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:32.604973078 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.828377962 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:32.828665972 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:32.833463907 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.057976007 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.058471918 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.063349009 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.063452005 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.063518047 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.068371058 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.701510906 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.702270031 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.707205057 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707261086 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707269907 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707278967 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707288980 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.707336903 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707381010 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.707386017 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707396030 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707405090 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707416058 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.707453012 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.707468987 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.707742929 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.709992886 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.712114096 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712243080 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712251902 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712263107 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712271929 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712280989 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.712286949 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712296963 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712322950 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.712357044 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712366104 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712390900 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.712462902 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712515116 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.712533951 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.715076923 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717298985 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717375994 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717425108 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717709064 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717719078 CEST5652955937104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:33.717845917 CEST5593756529192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:33.778070927 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:34.190567970 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:34.355990887 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:36.912060976 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:36.917032003 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.140625954 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.141077042 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.146104097 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.146222115 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.146300077 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.151257038 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.772665024 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.774153948 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.779103041 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779189110 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779197931 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779211044 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779262066 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.779283047 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779294968 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.779339075 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779350042 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779359102 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779365063 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.779370070 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.779443979 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.779983044 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.782042027 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.785700083 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785737038 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785746098 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785757065 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785800934 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785800934 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.785815001 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.785837889 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.785873890 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.787484884 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.788297892 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.788374901 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.790666103 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.791039944 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.791110039 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.791450024 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.793174028 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.793219090 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.793329954 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.794723988 CEST5479655938104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:37.795021057 CEST5593854796192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:37.887383938 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.270345926 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:38.324829102 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.446055889 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.450934887 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:38.674753904 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:38.675393105 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.680316925 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:38.680412054 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.680500031 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:38.685440063 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.311335087 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.318160057 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:39.323246956 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323263884 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323318005 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323327065 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323337078 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323344946 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323354006 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323393106 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323402882 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323436975 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.323513985 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:39.328666925 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328686953 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328694105 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328701973 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328706980 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328712940 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328718901 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328721046 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328723907 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.328855991 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:39.329008102 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.333993912 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334147930 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334156036 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334166050 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334301949 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334304094 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334309101 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334453106 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334461927 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.334605932 CEST5782955939104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.341810942 CEST5593957829192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:39.356292963 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:39.804217100 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:39.856509924 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:43.908185005 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:43.913047075 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.139770985 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.142545938 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.147501945 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.147799969 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.147943020 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.152914047 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.778208971 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.778520107 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784471035 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784539938 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784547091 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784579039 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784600973 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784630060 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784648895 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784658909 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784677982 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784703970 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784708977 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784738064 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784756899 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784787893 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784787893 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784832954 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784836054 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784862041 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.784874916 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.784910917 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789700031 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789753914 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789773941 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789803982 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789833069 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789846897 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789854050 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789882898 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789895058 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789911985 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789921045 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789943933 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.789961100 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.789977074 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.790015936 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.790062904 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.790088892 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.790096045 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.790163994 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.790194988 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.790261984 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.794831038 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795074940 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795151949 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795239925 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795312881 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795321941 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795449018 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795860052 CEST5076355940104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:44.795933008 CEST5594050763192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:44.824836969 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:45.272697926 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:45.327794075 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:46.141793966 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:46.146954060 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:46.370378971 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:46.370898962 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:46.376518965 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:46.376585960 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:46.376705885 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:46.381645918 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.007302999 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.007590055 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012691975 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012733936 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012763023 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012784004 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012814999 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012845039 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012851954 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012867928 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012875080 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012902975 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012903929 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012929916 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012948036 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.012955904 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012984991 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.012999058 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.013015985 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.013025999 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.013081074 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.017883062 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.017914057 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.017951965 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.017961979 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.017991066 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.017992020 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018007994 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018038034 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018043041 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018089056 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018094063 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018122911 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018143892 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018168926 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018177032 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018203020 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018227100 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.018301010 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018328905 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.018470049 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023304939 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023507118 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023535967 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023591042 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023691893 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023720026 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.023749113 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.024077892 CEST6001755941104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.024137974 CEST5594160017192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.056353092 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.497030973 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.506128073 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.511183977 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.734734058 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.738285065 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.743099928 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:47.745917082 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.746058941 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:47.750827074 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.372675896 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.372939110 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.377895117 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.377908945 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.377917051 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.377965927 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.377971888 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378016949 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378026009 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378034115 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378035069 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.378050089 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.378060102 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378068924 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.378103018 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.378213882 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378223896 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.378259897 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.378276110 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.382886887 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.382926941 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.382934093 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.382940054 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.382961988 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.382972002 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.382980108 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.382985115 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383004904 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.383014917 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383023977 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.383042097 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.383064032 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383075953 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.383116961 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383137941 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.383164883 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383176088 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.383233070 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.384033918 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.387921095 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.387933969 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.387995005 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.388443947 CEST5048655942104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.388499975 CEST5594250486192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.418612003 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:48.862423897 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:33:48.902997017 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:59.922976971 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:33:59.927880049 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.151571989 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.154252052 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.159090042 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.159192085 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.159363985 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.164110899 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.853056908 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.853401899 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858172894 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858217001 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858236074 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858263969 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858277082 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858289003 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858297110 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858326912 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858339071 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858356953 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858382940 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858392000 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858402014 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858422995 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858434916 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858443975 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858483076 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.858494043 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.858526945 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863126993 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863138914 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863147974 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863173962 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863193989 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863277912 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863287926 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863317013 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863329887 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863358974 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863404036 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863410950 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863455057 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.863495111 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.863540888 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.867945910 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868081093 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868092060 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868170977 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868204117 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868232965 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868387938 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868433952 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868443012 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868676901 CEST5626355943104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:00.868721008 CEST5594356263192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:00.903033972 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:01.339080095 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:01.387888908 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:06.878912926 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:07.262495041 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:07.843801975 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:07.843818903 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.067945957 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.070318937 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.075150967 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.077883005 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.077882051 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.083681107 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.707158089 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.707425117 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712346077 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712361097 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712383986 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712392092 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712419987 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712428093 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712486982 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712548971 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712558031 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712565899 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712595940 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712596893 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712611914 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712639093 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.712785959 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.712826014 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717222929 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717267990 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717276096 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717278957 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717308044 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717312098 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717366934 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717375994 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717423916 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717438936 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717448950 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717479944 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717499018 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717528105 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717565060 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717571974 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717609882 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.717633963 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.717688084 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722259998 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722352982 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722465038 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722485065 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722625017 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722656012 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722901106 CEST6171855944104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:08.722943068 CEST5594461718192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:08.772254944 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:09.193188906 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:09.278028965 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:10.859442949 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:10.865297079 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.089162111 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.089675903 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.094510078 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.094588041 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.094716072 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.099704981 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.720366955 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.720702887 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.725720882 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.725759983 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.725805998 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.725815058 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.725828886 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.725878954 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.725887060 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.725982904 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.726010084 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.726051092 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.726061106 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.726094961 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.726103067 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.726106882 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.726123095 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.726187944 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734230042 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734255075 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734275103 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734383106 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734467030 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734513044 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734540939 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734549999 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734574080 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734586000 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734608889 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734616995 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734622002 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734754086 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734764099 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734778881 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734805107 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734832048 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.734913111 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734920979 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.734991074 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.739526033 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.739643097 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.739846945 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.739909887 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.740024090 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.740529060 CEST6229455945104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:11.740658045 CEST5594562294192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:11.777992010 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:12.209450960 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:12.278482914 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:20.540561914 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:20.545456886 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:20.769150972 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:20.769712925 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:20.774772882 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:20.774851084 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:20.775026083 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:20.780096054 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.421679020 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.426222086 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.431324005 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431340933 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431405067 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431438923 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431448936 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431457996 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431468010 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431477070 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431482077 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.431524992 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431535006 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.431585073 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.436510086 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436522961 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436609983 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436626911 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436649084 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.436672926 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436681986 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436711073 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.436825037 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436933041 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.436984062 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.436994076 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.437000990 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.437010050 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.437110901 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.441622019 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.441709042 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.441749096 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.441955090 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.441966057 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.442025900 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.442035913 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.442358017 CEST5020355946104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.442475080 CEST5594650203192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.466749907 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:21.912955999 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:21.965531111 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:51.282322884 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:51.288248062 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:51.511667967 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:51.512331009 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:51.517221928 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:51.519895077 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:51.519893885 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:51.524846077 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.148730993 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.150528908 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.155426979 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155457020 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155472994 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155494928 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155505896 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155559063 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.155617952 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155627012 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155637026 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.155703068 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155713081 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155806065 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.155848026 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.155978918 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.160531998 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160545111 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160587072 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160597086 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160613060 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160621881 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160633087 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.160650015 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160691023 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160707951 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.160720110 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160751104 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160782099 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.160850048 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160866022 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.160973072 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165498972 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165586948 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165647030 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165656090 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165663958 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165688038 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165697098 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.165971994 CEST5122355947104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.169904947 CEST5594751223192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.199965000 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:34:52.636116982 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:34:52.684345961 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:05.847688913 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:05.852652073 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.082647085 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.088186026 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.097192049 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.099836111 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.100020885 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.106328011 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.743748903 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.752274036 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757230997 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757246017 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757276058 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757309914 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757390976 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757424116 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757424116 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757456064 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757504940 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757513046 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757545948 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757544041 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757582903 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757591009 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757599115 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.757606030 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757613897 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.757641077 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762129068 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762149096 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762156963 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762171030 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762190104 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762196064 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762197971 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762207031 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762207985 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762236118 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762247086 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762273073 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762315035 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762568951 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.762615919 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.762674093 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.768294096 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.768532991 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.768754959 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.769026995 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.769577980 CEST5325255948104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:06.769614935 CEST5594853252192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:06.791214943 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:07.258270979 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:07.307317019 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.111686945 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.116725922 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.340334892 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.344153881 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.349198103 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.351790905 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.351942062 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.356717110 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.988682985 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.988939047 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.993843079 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993856907 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993865967 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993887901 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993896008 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993905067 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.993926048 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.993984938 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.994002104 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.994034052 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.994043112 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.994044065 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.994072914 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.994082928 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.994126081 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.994164944 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.998785019 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998797894 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998821020 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998831034 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998833895 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.998868942 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.998919010 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998929024 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998943090 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.998960018 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.998975039 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.998996973 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.999007940 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.999016047 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.999032021 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:12.999106884 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.999272108 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.999280930 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:12.999289036 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004420042 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004466057 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004525900 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004535913 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004569054 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004626989 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004674911 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.004954100 CEST5158155949104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.005007982 CEST5594951581192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:13.059361935 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:13.478420019 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:13.671693087 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:22.142330885 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:22.147353888 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:22.372498989 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:22.374198914 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:22.379821062 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:22.381146908 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:22.381253004 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:22.386063099 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.020896912 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.021145105 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.026061058 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026083946 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026093960 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026103973 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026113033 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026118994 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.026122093 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026169062 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.026192904 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.026230097 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026247025 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026254892 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.026268005 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.026318073 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.031017065 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.031076908 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.031162977 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.031172991 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.031188965 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.031217098 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.031239033 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.035717010 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035729885 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035738945 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035748005 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035757065 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035764933 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035769939 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.035809040 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.035829067 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.035955906 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.035995007 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.036242008 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.036432981 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.040666103 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.040853977 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.041037083 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.041315079 CEST5460055950104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.041359901 CEST5595054600192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.075032949 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:23.510488033 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:23.561753988 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:28.815468073 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:28.820278883 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.044017076 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.044465065 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.049401045 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.049465895 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.049643993 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.054471970 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.679682016 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.680210114 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.685189009 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685200930 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685209990 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685219049 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685229063 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685236931 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685245991 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685264111 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685272932 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685280085 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.685281992 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.685313940 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.685419083 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.690418005 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690428972 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690437078 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690445900 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690454006 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690462112 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690471888 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690489054 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.690495968 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690505028 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690527916 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690532923 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.690543890 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690567970 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.690599918 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.690642118 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.695266008 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695358038 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695437908 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695539951 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695569992 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695578098 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695612907 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695678949 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695688009 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.695956945 CEST5985155951104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:29.699781895 CEST5595159851192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:29.871893883 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:30.169251919 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:30.371937037 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:30.770523071 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:30.775465012 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:30.998970032 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:31.054836035 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:33.432410002 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:33.437372923 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:33.437458038 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:33.437571049 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:33.442373037 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:33.469814062 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:33.474844933 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:33.474993944 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.058540106 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.059324980 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.064512014 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064527988 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064544916 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064553976 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064569950 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064579010 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064588070 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064677954 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064677954 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.064687014 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064703941 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.064723969 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.064740896 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.069623947 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069653034 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069663048 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069695950 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.069700003 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069740057 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.069848061 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069858074 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.069896936 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.077495098 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.077558041 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.082570076 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.082636118 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.082917929 CEST5058555952104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.082971096 CEST5595250585192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.106406927 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.107469082 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.107651949 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.112617970 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.335042953 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.335370064 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.342185020 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.545200109 CEST2155936104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.590770006 CEST5593621192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.616733074 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.616982937 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.621771097 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.840935946 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:34.841192007 CEST5595321192.168.2.7104.247.165.99
                                        Jul 2, 2024 08:35:34.846040964 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:35.064733028 CEST2155953104.247.165.99192.168.2.7
                                        Jul 2, 2024 08:35:35.106290102 CEST5595321192.168.2.7104.247.165.99

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 2, 2024 08:31:29.133210897 CEST6070253192.168.2.71.1.1.1
                                        Jul 2, 2024 08:31:29.327475071 CEST53607021.1.1.1192.168.2.7
                                        Jul 2, 2024 08:31:29.406774998 CEST53543381.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 2, 2024 08:31:29.133210897 CEST192.168.2.71.1.1.10xdb39Standard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 2, 2024 08:31:29.327475071 CEST1.1.1.1192.168.2.70xdb39No error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                        FTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Jul 2, 2024 08:31:29.976588964 CEST2149703104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 33 of 50 allowed.220-Local time is now 09:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Jul 2, 2024 08:31:29.976878881 CEST4970321192.168.2.7104.247.165.99USER admin@normagroup.com.tr
                                        Jul 2, 2024 08:31:30.201163054 CEST2149703104.247.165.99192.168.2.7331 User admin@normagroup.com.tr OK. Password required
                                        Jul 2, 2024 08:31:30.201338053 CEST4970321192.168.2.7104.247.165.99PASS Qb.X[.j.Yfm[
                                        Jul 2, 2024 08:31:30.462807894 CEST2149703104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                        Jul 2, 2024 08:31:30.692195892 CEST2149703104.247.165.99192.168.2.7504 Unknown command
                                        Jul 2, 2024 08:31:30.692419052 CEST4970321192.168.2.7104.247.165.99PWD
                                        Jul 2, 2024 08:31:30.916644096 CEST2149703104.247.165.99192.168.2.7257 "/" is your current location
                                        Jul 2, 2024 08:31:30.916959047 CEST4970321192.168.2.7104.247.165.99TYPE I
                                        Jul 2, 2024 08:31:31.140937090 CEST2149703104.247.165.99192.168.2.7200 TYPE is now 8-bit binary
                                        Jul 2, 2024 08:31:31.141149044 CEST4970321192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:31:31.365328074 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,202,4)
                                        Jul 2, 2024 08:31:31.384582043 CEST4970321192.168.2.7104.247.165.99STOR PW_user-358075_2024_07_02_02_31_28.html
                                        Jul 2, 2024 08:31:32.007783890 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:31:32.233309984 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.225 seconds (measured here), 1.40 Kbytes per second
                                        Jul 2, 2024 08:32:54.873507977 CEST4970321192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:32:55.101444006 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,252,195)
                                        Jul 2, 2024 08:32:55.107234955 CEST4970321192.168.2.7104.247.165.99STOR SC_user-358075_2024_07_30_23_38_15.jpeg
                                        Jul 2, 2024 08:32:55.736399889 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:32:56.224015951 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.495 seconds (measured here), 112.77 Kbytes per second
                                        Jul 2, 2024 08:33:03.847776890 CEST4970321192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:04.072108030 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,250,14)
                                        Jul 2, 2024 08:33:04.082731962 CEST4970321192.168.2.7104.247.165.99STOR SC_user-358075_2024_08_06_03_05_40.jpeg
                                        Jul 2, 2024 08:33:04.709253073 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:05.195003033 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.485 seconds (measured here), 115.07 Kbytes per second
                                        Jul 2, 2024 08:33:11.594865084 CEST4970321192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:11.823770046 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,197,185)
                                        Jul 2, 2024 08:33:11.830256939 CEST4970321192.168.2.7104.247.165.99STOR SC_user-358075_2024_08_12_15_11_55.jpeg
                                        Jul 2, 2024 08:33:13.076951027 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:13.077172995 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:13.077281952 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:13.560667992 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 1.108 seconds (measured here), 50.39 Kbytes per second
                                        Jul 2, 2024 08:33:29.939088106 CEST4970321192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:30.162985086 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,240,142)
                                        Jul 2, 2024 08:33:30.168812037 CEST4970321192.168.2.7104.247.165.99STOR SC_user-358075_2024_08_22_20_35_46.jpeg
                                        Jul 2, 2024 08:33:30.796581030 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:31.281188011 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.484 seconds (measured here), 115.25 Kbytes per second
                                        Jul 2, 2024 08:33:31.467953920 CEST2155936104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 40 of 50 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 40 of 50 allowed.220-Local time is now 09:33. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 40 of 50 allowed.220-Local time is now 09:33. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 40 of 50 allowed.220-Local time is now 09:33. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 40 of 50 allowed.220-Local time is now 09:33. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Jul 2, 2024 08:33:31.468287945 CEST5593621192.168.2.7104.247.165.99USER admin@normagroup.com.tr
                                        Jul 2, 2024 08:33:31.697624922 CEST2155936104.247.165.99192.168.2.7331 User admin@normagroup.com.tr OK. Password required
                                        Jul 2, 2024 08:33:31.697891951 CEST5593621192.168.2.7104.247.165.99PASS Qb.X[.j.Yfm[
                                        Jul 2, 2024 08:33:32.139686108 CEST2155936104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                        Jul 2, 2024 08:33:32.368590117 CEST2155936104.247.165.99192.168.2.7504 Unknown command
                                        Jul 2, 2024 08:33:32.368709087 CEST5593621192.168.2.7104.247.165.99PWD
                                        Jul 2, 2024 08:33:32.599812984 CEST2155936104.247.165.99192.168.2.7257 "/" is your current location
                                        Jul 2, 2024 08:33:32.600002050 CEST5593621192.168.2.7104.247.165.99TYPE I
                                        Jul 2, 2024 08:33:32.828377962 CEST2155936104.247.165.99192.168.2.7200 TYPE is now 8-bit binary
                                        Jul 2, 2024 08:33:32.828665972 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:33.057976007 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,220,209)
                                        Jul 2, 2024 08:33:33.063518047 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_08_25_11_13_20.jpeg
                                        Jul 2, 2024 08:33:33.701510906 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:34.190567970 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.489 seconds (measured here), 114.11 Kbytes per second
                                        Jul 2, 2024 08:33:36.912060976 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:37.140625954 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,214,12)
                                        Jul 2, 2024 08:33:37.146300077 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_01_00_34_09.jpeg
                                        Jul 2, 2024 08:33:37.772665024 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:38.270345926 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.498 seconds (measured here), 112.03 Kbytes per second
                                        Jul 2, 2024 08:33:38.446055889 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:38.674753904 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,225,229)
                                        Jul 2, 2024 08:33:38.680500031 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_03_20_46_54.jpeg
                                        Jul 2, 2024 08:33:39.311335087 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:39.804217100 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.493 seconds (measured here), 113.31 Kbytes per second
                                        Jul 2, 2024 08:33:43.908185005 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:44.139770985 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,198,75)
                                        Jul 2, 2024 08:33:44.147943020 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_08_11_05_37.jpeg
                                        Jul 2, 2024 08:33:44.778208971 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:45.272697926 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.492 seconds (measured here), 113.40 Kbytes per second
                                        Jul 2, 2024 08:33:46.141793966 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:46.370378971 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,234,113)
                                        Jul 2, 2024 08:33:46.376705885 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_12_14_29_20.jpeg
                                        Jul 2, 2024 08:33:47.007302999 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:47.497030973 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.489 seconds (measured here), 114.22 Kbytes per second
                                        Jul 2, 2024 08:33:47.506128073 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:33:47.734734058 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,197,54)
                                        Jul 2, 2024 08:33:47.746058941 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_15_08_49_03.jpeg
                                        Jul 2, 2024 08:33:48.372675896 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:33:48.862423897 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.489 seconds (measured here), 114.27 Kbytes per second
                                        Jul 2, 2024 08:33:59.922976971 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:00.151571989 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,219,199)
                                        Jul 2, 2024 08:34:00.159363985 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_09_22_22_57_33.jpeg
                                        Jul 2, 2024 08:34:00.853056908 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:34:01.339080095 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.545 seconds (measured here), 102.41 Kbytes per second
                                        Jul 2, 2024 08:34:06.878912926 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:07.262495041 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:08.067945957 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,241,22)
                                        Jul 2, 2024 08:34:08.077882051 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_10_02_15_36_05.jpeg
                                        Jul 2, 2024 08:34:08.707158089 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:34:09.193188906 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.486 seconds (measured here), 114.98 Kbytes per second
                                        Jul 2, 2024 08:34:10.859442949 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:11.089162111 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,243,86)
                                        Jul 2, 2024 08:34:11.094716072 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_10_06_14_59_38.jpeg
                                        Jul 2, 2024 08:34:11.720366955 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:34:12.209450960 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.489 seconds (measured here), 114.31 Kbytes per second
                                        Jul 2, 2024 08:34:20.540561914 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:20.769150972 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,196,27)
                                        Jul 2, 2024 08:34:20.775026083 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_10_13_00_33_03.jpeg
                                        Jul 2, 2024 08:34:21.421679020 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:34:21.912955999 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.491 seconds (measured here), 113.69 Kbytes per second
                                        Jul 2, 2024 08:34:51.282322884 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:34:51.511667967 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,200,23)
                                        Jul 2, 2024 08:34:51.519893885 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_10_30_15_17_23.jpeg
                                        Jul 2, 2024 08:34:52.148730993 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:34:52.636116982 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.486 seconds (measured here), 114.83 Kbytes per second
                                        Jul 2, 2024 08:35:05.847688913 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:35:06.082647085 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,208,4)
                                        Jul 2, 2024 08:35:06.100020885 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_11_08_06_50_40.jpeg
                                        Jul 2, 2024 08:35:06.743748903 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:35:07.258270979 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.498 seconds (measured here), 123.16 Kbytes per second
                                        Jul 2, 2024 08:35:12.111686945 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:35:12.340334892 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,201,125)
                                        Jul 2, 2024 08:35:12.351942062 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_11_14_00_22_03.jpeg
                                        Jul 2, 2024 08:35:12.988682985 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:35:13.478420019 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.489 seconds (measured here), 114.19 Kbytes per second
                                        Jul 2, 2024 08:35:22.142330885 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:35:22.372498989 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,213,72)
                                        Jul 2, 2024 08:35:22.381253004 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_11_20_15_14_44.jpeg
                                        Jul 2, 2024 08:35:23.020896912 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:35:23.510488033 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.490 seconds (measured here), 113.97 Kbytes per second
                                        Jul 2, 2024 08:35:28.815468073 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:35:29.044017076 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,233,203)
                                        Jul 2, 2024 08:35:29.049643993 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_11_25_17_32_07.jpeg
                                        Jul 2, 2024 08:35:29.679682016 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:35:30.169251919 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.490 seconds (measured here), 114.02 Kbytes per second
                                        Jul 2, 2024 08:35:30.770523071 CEST5593621192.168.2.7104.247.165.99PASV
                                        Jul 2, 2024 08:35:30.998970032 CEST2155936104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,197,153)
                                        Jul 2, 2024 08:35:33.437571049 CEST5593621192.168.2.7104.247.165.99STOR SC_user-358075_2024_11_28_17_17_56.jpeg
                                        Jul 2, 2024 08:35:34.058540106 CEST2155936104.247.165.99192.168.2.7150 Accepted data connection
                                        Jul 2, 2024 08:35:34.107469082 CEST2155953104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 50 of 50 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 50 of 50 allowed.220-Local time is now 09:35. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 50 of 50 allowed.220-Local time is now 09:35. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 50 of 50 allowed.220-Local time is now 09:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 50 of 50 allowed.220-Local time is now 09:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Jul 2, 2024 08:35:34.107651949 CEST5595321192.168.2.7104.247.165.99USER admin@normagroup.com.tr
                                        Jul 2, 2024 08:35:34.335042953 CEST2155953104.247.165.99192.168.2.7331 User admin@normagroup.com.tr OK. Password required
                                        Jul 2, 2024 08:35:34.335370064 CEST5595321192.168.2.7104.247.165.99PASS Qb.X[.j.Yfm[
                                        Jul 2, 2024 08:35:34.545200109 CEST2155936104.247.165.99192.168.2.7226-File successfully transferred
                                        226-File successfully transferred226 0.486 seconds (measured here), 114.80 Kbytes per second
                                        Jul 2, 2024 08:35:34.616733074 CEST2155953104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                        Jul 2, 2024 08:35:34.840935946 CEST2155953104.247.165.99192.168.2.7504 Unknown command
                                        Jul 2, 2024 08:35:34.841192007 CEST5595321192.168.2.7104.247.165.99PWD
                                        Jul 2, 2024 08:35:35.064733028 CEST2155953104.247.165.99192.168.2.7257 "/" is your current location

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:4
                                        Start time:02:31:24
                                        Start date:02/07/2024
                                        Path:C:\Users\user\Desktop\hesaphareketi__.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\hesaphareketi__.exe"
                                        Imagebase:0x1cec0840000
                                        File size:3'026'543 bytes
                                        MD5 hash:9C2532282EDD4F242A56D901D607AEA5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1435427718.000001CED2824000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1434723582.000001CEC2570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:02:31:24
                                        Start date:02/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:02:31:26
                                        Start date:02/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                        Wow64 process (32bit):
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                        Imagebase:
                                        File size:47'584 bytes
                                        MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:02:31:26
                                        Start date:02/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                        Imagebase:0xa20000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3740958147.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3730532870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3740958147.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:14
                                        Start time:02:31:26
                                        Start date:02/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                        Imagebase:0x660000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:02:31:26
                                        Start date:02/07/2024
                                        Path:C:\Windows\System32\WerFault.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7116 -s 1128
                                        Imagebase:0x7ff6a7a50000
                                        File size:570'736 bytes
                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:15%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:6
                                          Total number of Limit Nodes:0
                                          execution_graph 9455 7ffaaccb0da5 9456 7ffaaccb0dcf FreeConsole 9455->9456 9458 7ffaaccb0e4e 9456->9458 9451 7ffaaccb497a 9452 7ffaaccb4989 VirtualProtect 9451->9452 9454 7ffaaccb4a61 9452->9454

                                          Executed Functions

                                          Function 00007FFAACCBAC08 Relevance: 5.8, Strings: 4, Instructions: 843COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 7ffaaccbac08-7ffaaccbe7e5 2 7ffaaccbe7e7-7ffaaccbe828 0->2 3 7ffaaccbe82f-7ffaaccbe859 0->3 5 7ffaaccbe82e 2->5 6 7ffaaccbe872 3->6 7 7ffaaccbe85b-7ffaaccbe870 3->7 5->3 8 7ffaaccbe874-7ffaaccbe879 6->8 7->8 10 7ffaaccbe976-7ffaaccbe996 8->10 11 7ffaaccbe87f-7ffaaccbe88e 8->11 13 7ffaaccbe9e7-7ffaaccbe9f2 10->13 17 7ffaaccbe898-7ffaaccbe899 11->17 18 7ffaaccbe890-7ffaaccbe896 11->18 15 7ffaaccbe9f4-7ffaaccbea03 13->15 16 7ffaaccbe998-7ffaaccbe99e 13->16 26 7ffaaccbea05-7ffaaccbea17 15->26 27 7ffaaccbea19 15->27 19 7ffaaccbe9a4-7ffaaccbe9c5 call 7ffaaccbabe8 16->19 20 7ffaaccbee62-7ffaaccbeeb7 call 7ffaaccba328 16->20 21 7ffaaccbe89b-7ffaaccbe8b2 17->21 18->21 33 7ffaaccbe9ca-7ffaaccbe9e4 19->33 58 7ffaaccbeeb9-7ffaaccbeef1 call 7ffaaccb5bc8 20->58 59 7ffaaccbef01-7ffaaccbef0b 20->59 21->10 30 7ffaaccbea1b-7ffaaccbea20 26->30 27->30 31 7ffaaccbea26-7ffaaccbea48 call 7ffaaccbabe8 30->31 32 7ffaaccbeaac-7ffaaccbeac0 30->32 51 7ffaaccbea76-7ffaaccbea77 31->51 52 7ffaaccbea4a-7ffaaccbea74 31->52 34 7ffaaccbeac2-7ffaaccbeac8 32->34 35 7ffaaccbeb10-7ffaaccbeb1f 32->35 33->13 39 7ffaaccbeae7-7ffaaccbeaff 34->39 40 7ffaaccbeaca-7ffaaccbeae5 34->40 47 7ffaaccbeb2c 35->47 48 7ffaaccbeb21-7ffaaccbeb2a 35->48 49 7ffaaccbeb08-7ffaaccbeb0b 39->49 40->39 54 7ffaaccbeb2e-7ffaaccbeb33 47->54 48->54 50 7ffaaccbecb8-7ffaaccbeccd 49->50 62 7ffaaccbed0d 50->62 63 7ffaaccbeccf-7ffaaccbed0b 50->63 57 7ffaaccbea79-7ffaaccbea80 51->57 52->57 60 7ffaaccbeb39-7ffaaccbeb3c 54->60 61 7ffaaccbee3f-7ffaaccbee40 54->61 57->32 68 7ffaaccbea82-7ffaaccbeaa7 call 7ffaaccbac10 57->68 114 7ffaaccbeef3-7ffaaccbeefb 58->114 115 7ffaaccbeefc-7ffaaccbeeff 58->115 65 7ffaaccbef16-7ffaaccbef27 59->65 66 7ffaaccbef0d-7ffaaccbef15 59->66 69 7ffaaccbeb84 60->69 70 7ffaaccbeb3e-7ffaaccbeb5b call 7ffaaccb0188 60->70 67 7ffaaccbee43-7ffaaccbee52 61->67 77 7ffaaccbed0f-7ffaaccbed14 62->77 63->77 74 7ffaaccbef32-7ffaaccbef7f call 7ffaaccbc970 65->74 75 7ffaaccbef29-7ffaaccbef31 65->75 66->65 96 7ffaaccbee53-7ffaaccbee5b 67->96 68->32 98 7ffaaccbee2e-7ffaaccbee3e 68->98 73 7ffaaccbeb86-7ffaaccbeb8b 69->73 70->69 109 7ffaaccbeb5d-7ffaaccbeb82 70->109 85 7ffaaccbec8c-7ffaaccbecaf 73->85 86 7ffaaccbeb91-7ffaaccbeb9d 73->86 121 7ffaaccbef91 74->121 122 7ffaaccbef81-7ffaaccbef8f 74->122 75->74 82 7ffaaccbed84-7ffaaccbed98 77->82 83 7ffaaccbed16-7ffaaccbed1b 77->83 92 7ffaaccbede7-7ffaaccbedf3 call 7ffaaccb8860 82->92 93 7ffaaccbed9a-7ffaaccbedc5 call 7ffaaccb5b00 82->93 94 7ffaaccbed1e-7ffaaccbed6d call 7ffaaccb5b00 83->94 99 7ffaaccbecb5-7ffaaccbecb6 85->99 86->20 95 7ffaaccbeba3-7ffaaccbebb2 86->95 108 7ffaaccbedf4-7ffaaccbee0c 92->108 126 7ffaaccbedca-7ffaaccbedd2 93->126 144 7ffaaccbedde-7ffaaccbede3 94->144 145 7ffaaccbed6f-7ffaaccbed73 94->145 104 7ffaaccbebc5-7ffaaccbebd2 call 7ffaaccb0188 95->104 105 7ffaaccbebb4-7ffaaccbebc3 95->105 96->20 99->50 123 7ffaaccbebd8-7ffaaccbebde 104->123 105->123 108->20 116 7ffaaccbee0e-7ffaaccbee1e 108->116 109->73 114->115 115->59 124 7ffaaccbee20-7ffaaccbee2b 116->124 127 7ffaaccbef93-7ffaaccbef98 121->127 122->127 128 7ffaaccbec13-7ffaaccbec18 123->128 129 7ffaaccbebe0-7ffaaccbec0d 123->129 124->98 126->67 130 7ffaaccbedd4-7ffaaccbedd7 126->130 132 7ffaaccbef9a-7ffaaccbefad call 7ffaaccb4be0 127->132 133 7ffaaccbefaf-7ffaaccbefb5 127->133 128->20 135 7ffaaccbec1e-7ffaaccbec3e 128->135 129->128 130->96 136 7ffaaccbedd9 130->136 139 7ffaaccbefbc-7ffaaccbefc3 132->139 133->139 140 7ffaaccbefb7 call 7ffaaccb5b18 133->140 148 7ffaaccbec52-7ffaaccbec82 call 7ffaaccba3a8 135->148 149 7ffaaccbec40-7ffaaccbec51 135->149 136->124 143 7ffaaccbeddb 136->143 140->139 143->144 144->92 145->108 150 7ffaaccbed75-7ffaaccbed7e 145->150 154 7ffaaccbec87-7ffaaccbec8a 148->154 149->148 150->20 150->94 154->50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0#%$0#%$0#%$x!%
                                          • API String ID: 0-995454574
                                          • Opcode ID: 588f2a57c6ea43fb4c4966adde24834ad352f0ad26862b992bab35315c8c5b7e
                                          • Instruction ID: 3366fc1087d6a11cdbc9857f926254df006f3bb7ec6934f4392a0f70309b14f5
                                          • Opcode Fuzzy Hash: 588f2a57c6ea43fb4c4966adde24834ad352f0ad26862b992bab35315c8c5b7e
                                          • Instruction Fuzzy Hash: 20420430A0DA098FEB68DF69C455A7977E1EF5A701F1441BEE09EC3293DE24EC468781
                                          Function 00007FFAACCBFD35 Relevance: 2.4, Instructions: 2383COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c94073b47ae5fdb593b814deda8a35d7b3d087c720888639dba92c9b3535a14
                                          • Instruction ID: 25e17552d6c51004cffcf0b1d1d748198b0f3913d7421cf2ca479ed5256f6cb9
                                          • Opcode Fuzzy Hash: 4c94073b47ae5fdb593b814deda8a35d7b3d087c720888639dba92c9b3535a14
                                          • Instruction Fuzzy Hash: ECF2163051DB458FE35ADF2884914B5B7E1FF96301B1485BEE48AC72A6DE38E84AC7C1
                                          Function 00007FFAACCB5D7D Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fish
                                          • API String ID: 0-1064584243
                                          • Opcode ID: 539cc540532f2c2adbb69feacec860698eccd5e6da0f0e5e317243a69079ecff
                                          • Instruction ID: ec03859fbcfff42b5719072d461b2d4b0061f11a5da74f636a4ce638a750883c
                                          • Opcode Fuzzy Hash: 539cc540532f2c2adbb69feacec860698eccd5e6da0f0e5e317243a69079ecff
                                          • Instruction Fuzzy Hash: 29910671A2CA498FEB5CEF69D4555B9B3E1FF9A310B00457EE44FC3292DE28E80646C1
                                          Function 00007FFAACCBCC44 Relevance: .7, Instructions: 736COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee5a05da02f0b9ec0b8f4277d7434eeb79a58844d5d319eee84bcd5e971a2025
                                          • Instruction ID: cf7e498dd6c17966024bffbd0a541d335a522c6e812c46d2b9be4a77b8a788f4
                                          • Opcode Fuzzy Hash: ee5a05da02f0b9ec0b8f4277d7434eeb79a58844d5d319eee84bcd5e971a2025
                                          • Instruction Fuzzy Hash: E822363190DA868FF349CF6984515B577E1EF96301B1485BED08ECB2A7DE28E84AC7C1
                                          Function 00007FFAACCB14ED Relevance: .6, Instructions: 594COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c66469a8a9b7aa5d898217d6565355781123ef95778a998008b416d14cf5c6f1
                                          • Instruction ID: ec635768c42b11e13c9e0f137b82c3aa73b3caa3883d120f93dfd58013c8a116
                                          • Opcode Fuzzy Hash: c66469a8a9b7aa5d898217d6565355781123ef95778a998008b416d14cf5c6f1
                                          • Instruction Fuzzy Hash: EB12027191DB858FE769CF2884056A67BE1FFA6310F1444BED08EC7293EE25D90AC781
                                          Function 00007FFAACCBD409 Relevance: .5, Instructions: 499COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe4d247cd76010879fa5b81abc31881d54c1b56e7dae9f982f004428753c0eb0
                                          • Instruction ID: feae4adc0b8a1f1f399e9439be148c0f0919621e7e9991a031ea3d721643eaaa
                                          • Opcode Fuzzy Hash: fe4d247cd76010879fa5b81abc31881d54c1b56e7dae9f982f004428753c0eb0
                                          • Instruction Fuzzy Hash: 7BE16A7091DB868FF31DCB6584552B1B7D1FF96301B04867ED4CACB2AADA28E44AC7C1
                                          Function 00007FFAACCB0508 Relevance: .3, Instructions: 307COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0bce52c047140db6682e4fbff6dea85c1edf13dfe05ab2c71db401aaa4643d6
                                          • Instruction ID: dd8f63f46731a64be2f375af4958d297a0f2b17a5f123644791b59b79998f542
                                          • Opcode Fuzzy Hash: d0bce52c047140db6682e4fbff6dea85c1edf13dfe05ab2c71db401aaa4643d6
                                          • Instruction Fuzzy Hash: E791C030B189098BF768EFAD84557B9B6D2EF99300F5484B9D40EC76D3DE28EC464681
                                          Function 00007FFAACCB497A Relevance: 1.6, APIs: 1, Instructions: 135memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1503 7ffaaccb497a-7ffaaccb4987 1504 7ffaaccb4992-7ffaaccb49a3 1503->1504 1505 7ffaaccb4989-7ffaaccb4991 1503->1505 1506 7ffaaccb49a5-7ffaaccb49ad 1504->1506 1507 7ffaaccb49ae-7ffaaccb4a5f VirtualProtect 1504->1507 1505->1504 1506->1507 1510 7ffaaccb4a67-7ffaaccb4a8f 1507->1510 1511 7ffaaccb4a61 1507->1511 1511->1510
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 2ae1d19971243e6a4276730a9fafaee0a48ba804d886501606c6736577e70032
                                          • Instruction ID: 9a4b05b33a35eb79f4258c70152799da02c966468e4b54dc7c9661f55e5f420e
                                          • Opcode Fuzzy Hash: 2ae1d19971243e6a4276730a9fafaee0a48ba804d886501606c6736577e70032
                                          • Instruction Fuzzy Hash: C741293090DB888FD719DBA898066F9BFF0EF56321F0442AFD049C3193DB646856C796
                                          Function 00007FFAACCB0DA5 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1512 7ffaaccb0da5-7ffaaccb0e4c FreeConsole 1516 7ffaaccb0e54-7ffaaccb0e7b 1512->1516 1517 7ffaaccb0e4e 1512->1517 1517->1516
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439364354.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaaccb0000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID: ConsoleFree
                                          • String ID:
                                          • API String ID: 771614528-0
                                          • Opcode ID: 0d171f9206c653ca081b71e9cd1b67ae1e2688be338a2ff1aaa90c5c9017a917
                                          • Instruction ID: 1fbba363b66c03749cab94d57bf6fad607fde99f2d8a19cd208c975c826eb82c
                                          • Opcode Fuzzy Hash: 0d171f9206c653ca081b71e9cd1b67ae1e2688be338a2ff1aaa90c5c9017a917
                                          • Instruction Fuzzy Hash: 7031A17150D7488FDB15DFA8C849AEABBF0EF56320F0482AFD089C3552D768A84ACB51
                                          Function 00007FFAACD91091 Relevance: .3, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439726933.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaacd90000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e5343600a9d66fd33afcbd40470e7a92d3e0cd79e8d5c63eb356163cee2b065
                                          • Instruction ID: fdfc2ba601d749c19993343e7bd0a92955fdd408da42c7a245b70cb48f7c3e3c
                                          • Opcode Fuzzy Hash: 0e5343600a9d66fd33afcbd40470e7a92d3e0cd79e8d5c63eb356163cee2b065
                                          • Instruction Fuzzy Hash: 36A13A76A0E7868FE756D73888521A57FF0EF56300B0441FED49DCB492EA2DA84AC3C1
                                          Function 00007FFAACD9026B Relevance: .2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439726933.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaacd90000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c42b542f14aec49f8f9f74d4a6294f9efc2e49393c0de8dd7b37277dfe190a41
                                          • Instruction ID: 7bbb5f35d2a1e7ac71e4b7110efe70d45026761861f9147ed7a5a7d953a664ca
                                          • Opcode Fuzzy Hash: c42b542f14aec49f8f9f74d4a6294f9efc2e49393c0de8dd7b37277dfe190a41
                                          • Instruction Fuzzy Hash: DA514B3490D649CFEB55DB58D8919F977E0FF5A300F1485A9D05ECB483EA29F84ACB80
                                          Function 00007FFAACD9110A Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439726933.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaacd90000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd97c2f8519ac3fe2d8e670440f8344538bf1b37ce6628ba01db70f10e474998
                                          • Instruction ID: 9a5800c7bab13def2ef41f5a1a020563d358862ef5b508749cd13171b73ee86e
                                          • Opcode Fuzzy Hash: dd97c2f8519ac3fe2d8e670440f8344538bf1b37ce6628ba01db70f10e474998
                                          • Instruction Fuzzy Hash: 10412639A09A4DCFEB49EB24D8910B97BF0FF56300B1441BED05ED7991EA2AE845C7C1
                                          Function 00007FFAACD90A04 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1439726933.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffaacd90000_hesaphareketi__.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c7370ed54bfbe357e3169a6fdf3ea3a8e0a9d8a8eb410090ddb863f65e46b22
                                          • Instruction ID: b2be3c49cc297e951fad2a70ad34117a97ba55d91371268999870f5132a5c98c
                                          • Opcode Fuzzy Hash: 6c7370ed54bfbe357e3169a6fdf3ea3a8e0a9d8a8eb410090ddb863f65e46b22
                                          • Instruction Fuzzy Hash: 48E0E530A046288EDB60DB58DC81BE9B3B1EB84200F0041E5D44DA3242CA306A848F82

                                          Execution Graph

                                          Execution Coverage:7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:26
                                          Total number of Limit Nodes:5
                                          execution_graph 38360 2b809cd 38362 2b8084e 38360->38362 38361 2b8091b 38362->38361 38365 2b8133f 38362->38365 38371 2b81450 38362->38371 38366 2b8130c 38365->38366 38367 2b81343 38365->38367 38366->38362 38368 2b81448 38367->38368 38370 2b81450 3 API calls 38367->38370 38376 2b87059 38367->38376 38368->38362 38370->38367 38372 2b81356 38371->38372 38373 2b81448 38372->38373 38374 2b87059 3 API calls 38372->38374 38375 2b81450 3 API calls 38372->38375 38373->38362 38374->38372 38375->38372 38377 2b87063 38376->38377 38378 2b87119 38377->38378 38381 587d2c8 38377->38381 38386 587d2d8 38377->38386 38378->38367 38383 587d2d8 38381->38383 38382 587d502 38382->38378 38383->38382 38384 587d528 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38383->38384 38385 587d51b GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38383->38385 38384->38383 38385->38383 38387 587d2ed 38386->38387 38388 587d502 38387->38388 38389 587d51b GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38387->38389 38390 587d528 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38387->38390 38388->38378 38389->38387 38390->38387

                                          Executed Functions

                                          Function 02B89BB0 Relevance: 3.1, Instructions: 3101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92fd9afef378ddb74c9f373c4c262401875541617723d026ebdda235fa5a5f22
                                          • Instruction ID: b65dc1746478e9a8e5f45b7b25178195191c3a45b485d4b43344a3ee88d3da83
                                          • Opcode Fuzzy Hash: 92fd9afef378ddb74c9f373c4c262401875541617723d026ebdda235fa5a5f22
                                          • Instruction Fuzzy Hash: CC630871D10B198ACB11EF68C8846A9F7B1FF99300F55D6DAE458B7121EB70AAC4CF81
                                          Function 02B8CF20 Relevance: 2.3, Instructions: 2301COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36e4d19d8f806c700c00e4278541e1aa67c95a2ed2c75049b5a38d8751ba18ca
                                          • Instruction ID: 40e2bfbb5a330b4848d8fc5cc1ba5415539e6f5dc632018182c3c67c74baa619
                                          • Opcode Fuzzy Hash: 36e4d19d8f806c700c00e4278541e1aa67c95a2ed2c75049b5a38d8751ba18ca
                                          • Instruction Fuzzy Hash: 4A332D31D107198ECB11EF68C8806ADF7B1FF99300F55C69AE448A7265EB70EAC5CB81
                                          Function 02B83E48 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2368 2b83e48-2b83eae 2370 2b83ef8-2b83efa 2368->2370 2371 2b83eb0-2b83ebb 2368->2371 2372 2b83efc-2b83f54 2370->2372 2371->2370 2373 2b83ebd-2b83ec9 2371->2373 2382 2b83f9e-2b83fa0 2372->2382 2383 2b83f56-2b83f61 2372->2383 2374 2b83ecb-2b83ed5 2373->2374 2375 2b83eec-2b83ef6 2373->2375 2377 2b83ed9-2b83ee8 2374->2377 2378 2b83ed7 2374->2378 2375->2372 2377->2377 2379 2b83eea 2377->2379 2378->2377 2379->2375 2384 2b83fa2-2b83fba 2382->2384 2383->2382 2385 2b83f63-2b83f6f 2383->2385 2392 2b83fbc-2b83fc7 2384->2392 2393 2b84004-2b84006 2384->2393 2386 2b83f71-2b83f7b 2385->2386 2387 2b83f92-2b83f9c 2385->2387 2388 2b83f7d 2386->2388 2389 2b83f7f-2b83f8e 2386->2389 2387->2384 2388->2389 2389->2389 2391 2b83f90 2389->2391 2391->2387 2392->2393 2394 2b83fc9-2b83fd5 2392->2394 2395 2b84008-2b84056 2393->2395 2396 2b83ff8-2b84002 2394->2396 2397 2b83fd7-2b83fe1 2394->2397 2403 2b8405c-2b8406a 2395->2403 2396->2395 2398 2b83fe3 2397->2398 2399 2b83fe5-2b83ff4 2397->2399 2398->2399 2399->2399 2401 2b83ff6 2399->2401 2401->2396 2404 2b8406c-2b84072 2403->2404 2405 2b84073-2b840d3 2403->2405 2404->2405 2412 2b840e3-2b840e7 2405->2412 2413 2b840d5-2b840d9 2405->2413 2415 2b840e9-2b840ed 2412->2415 2416 2b840f7-2b840fb 2412->2416 2413->2412 2414 2b840db 2413->2414 2414->2412 2415->2416 2419 2b840ef-2b840f2 call 2b80ab8 2415->2419 2417 2b8410b-2b8410f 2416->2417 2418 2b840fd-2b84101 2416->2418 2422 2b8411f-2b84123 2417->2422 2423 2b84111-2b84115 2417->2423 2418->2417 2421 2b84103-2b84106 call 2b80ab8 2418->2421 2419->2416 2421->2417 2426 2b84133-2b84137 2422->2426 2427 2b84125-2b84129 2422->2427 2423->2422 2425 2b84117-2b8411a call 2b80ab8 2423->2425 2425->2422 2430 2b84139-2b8413d 2426->2430 2431 2b84147 2426->2431 2427->2426 2429 2b8412b 2427->2429 2429->2426 2430->2431 2432 2b8413f 2430->2432 2433 2b84148 2431->2433 2432->2431 2433->2433
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vhm
                                          • API String ID: 0-1451868494
                                          • Opcode ID: 5dcfdc68204102d028e261942418b1abf8ac7306dc2f9b7cfc27e5eebbb2cc19
                                          • Instruction ID: d21815edd3894cd0f1bfce9ab738d7beda20e6ad60ac3a0cde8c6a50b1897a60
                                          • Opcode Fuzzy Hash: 5dcfdc68204102d028e261942418b1abf8ac7306dc2f9b7cfc27e5eebbb2cc19
                                          • Instruction Fuzzy Hash: A9919D71E00309DFDB14EFA9C8817AEBBF2EF48704F148169E419AB294DB748885CF95
                                          Function 02B84A60 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51e8a9a0ac945928b1eb51f73645bce05368bb15df52153bbe9b4e8cae05d5af
                                          • Instruction ID: be64ee0fb20d5cd85d88e1bf67ad03ea41767d5747524c829c18fca86dead584
                                          • Opcode Fuzzy Hash: 51e8a9a0ac945928b1eb51f73645bce05368bb15df52153bbe9b4e8cae05d5af
                                          • Instruction Fuzzy Hash: 70B16E70E0020ACFDB14EFA9D8817ADBBF2EF48314F148569D419E7294EB749885CF91
                                          Function 02B86EA2 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1852 2b86ea2-2b86f0a call 2b86c08 1861 2b86f0c-2b86f25 call 2b86344 1852->1861 1862 2b86f26-2b86f55 1852->1862 1866 2b86f57-2b86f5a 1862->1866 1868 2b86f5c-2b86f91 1866->1868 1869 2b86f96-2b86f99 1866->1869 1868->1869 1870 2b86f9b-2b86fa2 1869->1870 1871 2b86fad-2b86fb0 1869->1871 1874 2b87168-2b8716f 1870->1874 1875 2b86fa8 1870->1875 1872 2b86fb2-2b86fc6 1871->1872 1873 2b86fe3-2b86fe6 1871->1873 1881 2b86fc8-2b86fca 1872->1881 1882 2b86fcc 1872->1882 1876 2b86fe8 call 2b8798a 1873->1876 1877 2b86ff6-2b86ff8 1873->1877 1875->1871 1883 2b86fee-2b86ff1 1876->1883 1879 2b86ffa 1877->1879 1880 2b86fff-2b87002 1877->1880 1879->1880 1880->1866 1884 2b87008-2b87017 1880->1884 1885 2b86fcf-2b86fde 1881->1885 1882->1885 1883->1877 1887 2b87019-2b8701c 1884->1887 1888 2b87041-2b87057 1884->1888 1885->1873 1891 2b87024-2b8703f 1887->1891 1888->1874 1891->1887 1891->1888
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq$LRq
                                          • API String ID: 0-3710822783
                                          • Opcode ID: af473bd0f7e29c1ee290ee0c69a57d3a7b3d86acc64b19a73a01ca4a2b85f740
                                          • Instruction ID: 169313d7199d42ac648c5ca2c155aa17d579b49595aff58f49cd8688e5684ba7
                                          • Opcode Fuzzy Hash: af473bd0f7e29c1ee290ee0c69a57d3a7b3d86acc64b19a73a01ca4a2b85f740
                                          • Instruction Fuzzy Hash: 5251C430E102459FDB15EB78C4517AEBBB6EF86304F2084AAE405EB385EB75DC46CB51
                                          Function 0587E0E8 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2329 587e0e8-587e0f3 2330 587e0f5-587e11c call 587d28c 2329->2330 2331 587e11d-587e13c call 587d298 2329->2331 2337 587e142-587e1a1 2331->2337 2338 587e13e-587e141 2331->2338 2345 587e1a7-587e234 GlobalMemoryStatusEx 2337->2345 2346 587e1a3-587e1a6 2337->2346 2350 587e236-587e23c 2345->2350 2351 587e23d-587e265 2345->2351 2350->2351
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3745857675.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_5870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90fe02b7cdcee134abeadee15685619fbedde14c97e4bf742dc9e830453d7a2a
                                          • Instruction ID: 99bde43d45e29395721790595b659bca67163e213ebc9ebfd0c595e56fe0caa0
                                          • Opcode Fuzzy Hash: 90fe02b7cdcee134abeadee15685619fbedde14c97e4bf742dc9e830453d7a2a
                                          • Instruction Fuzzy Hash: 6A411272D143598FDB14DFBAD8007AEBBF9AF89210F14856AD805E7241DB34A845CBE1
                                          Function 0587D298 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2354 587d298-587e234 GlobalMemoryStatusEx 2357 587e236-587e23c 2354->2357 2358 587e23d-587e265 2354->2358 2357->2358
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0587E13A), ref: 0587E227
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3745857675.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_5870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: c9058bdc6c3cb707682adb957360f86b932ef8f5a5a53b80e9f045384605f9f5
                                          • Instruction ID: 6c512a02b915c637aad95aaf4607abd1ea28212d8f2005063aed2b2b5b7a0f14
                                          • Opcode Fuzzy Hash: c9058bdc6c3cb707682adb957360f86b932ef8f5a5a53b80e9f045384605f9f5
                                          • Instruction Fuzzy Hash: D81114B1C00659DFDB10DFAAD444BDEFBF8BF48214F11816AE918A7250D378A944CFA9
                                          Function 0587E1B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2361 587e1b8-587e1fe 2363 587e206-587e234 GlobalMemoryStatusEx 2361->2363 2364 587e236-587e23c 2363->2364 2365 587e23d-587e265 2363->2365 2364->2365
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0587E13A), ref: 0587E227
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3745857675.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_5870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 2271947a4c1178311a79166093505e73687b62475de0be6311280ed9cca6c4ff
                                          • Instruction ID: 8cdc082a1c073ff7f27164406894f12067484c4d77b895c12e1d32687829ed8c
                                          • Opcode Fuzzy Hash: 2271947a4c1178311a79166093505e73687b62475de0be6311280ed9cca6c4ff
                                          • Instruction Fuzzy Hash: E81117B1C106599FDB10CFAAD444BDEFBF4BB48320F15815AE818A7240D378A945CFA5
                                          Function 02B83E3D Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2434 2b83e3d-2b83eae 2436 2b83ef8-2b83efa 2434->2436 2437 2b83eb0-2b83ebb 2434->2437 2438 2b83efc-2b83f54 2436->2438 2437->2436 2439 2b83ebd-2b83ec9 2437->2439 2448 2b83f9e-2b83fa0 2438->2448 2449 2b83f56-2b83f61 2438->2449 2440 2b83ecb-2b83ed5 2439->2440 2441 2b83eec-2b83ef6 2439->2441 2443 2b83ed9-2b83ee8 2440->2443 2444 2b83ed7 2440->2444 2441->2438 2443->2443 2445 2b83eea 2443->2445 2444->2443 2445->2441 2450 2b83fa2-2b83fba 2448->2450 2449->2448 2451 2b83f63-2b83f6f 2449->2451 2458 2b83fbc-2b83fc7 2450->2458 2459 2b84004-2b84006 2450->2459 2452 2b83f71-2b83f7b 2451->2452 2453 2b83f92-2b83f9c 2451->2453 2454 2b83f7d 2452->2454 2455 2b83f7f-2b83f8e 2452->2455 2453->2450 2454->2455 2455->2455 2457 2b83f90 2455->2457 2457->2453 2458->2459 2460 2b83fc9-2b83fd5 2458->2460 2461 2b84008-2b8401a 2459->2461 2462 2b83ff8-2b84002 2460->2462 2463 2b83fd7-2b83fe1 2460->2463 2468 2b84021-2b84056 2461->2468 2462->2461 2464 2b83fe3 2463->2464 2465 2b83fe5-2b83ff4 2463->2465 2464->2465 2465->2465 2467 2b83ff6 2465->2467 2467->2462 2469 2b8405c-2b8406a 2468->2469 2470 2b8406c-2b84072 2469->2470 2471 2b84073-2b840d3 2469->2471 2470->2471 2478 2b840e3-2b840e7 2471->2478 2479 2b840d5-2b840d9 2471->2479 2481 2b840e9-2b840ed 2478->2481 2482 2b840f7-2b840fb 2478->2482 2479->2478 2480 2b840db 2479->2480 2480->2478 2481->2482 2485 2b840ef-2b840f2 call 2b80ab8 2481->2485 2483 2b8410b-2b8410f 2482->2483 2484 2b840fd-2b84101 2482->2484 2488 2b8411f-2b84123 2483->2488 2489 2b84111-2b84115 2483->2489 2484->2483 2487 2b84103-2b84106 call 2b80ab8 2484->2487 2485->2482 2487->2483 2492 2b84133-2b84137 2488->2492 2493 2b84125-2b84129 2488->2493 2489->2488 2491 2b84117-2b8411a call 2b80ab8 2489->2491 2491->2488 2496 2b84139-2b8413d 2492->2496 2497 2b84147 2492->2497 2493->2492 2495 2b8412b 2493->2495 2495->2492 2496->2497 2498 2b8413f 2496->2498 2499 2b84148 2497->2499 2498->2497 2499->2499
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vhm
                                          • API String ID: 0-1451868494
                                          • Opcode ID: dd404a0358007b5838d845af4ccde855b8706078d9f72d04b2765cf0b5d51cd3
                                          • Instruction ID: 8daa129d222151efcc41a85011146b50ee2896957d12187300d251879333e906
                                          • Opcode Fuzzy Hash: dd404a0358007b5838d845af4ccde855b8706078d9f72d04b2765cf0b5d51cd3
                                          • Instruction Fuzzy Hash: 02919C71E00209DFDB10EFA9C8817EEBBF2EF48704F148169E419A7294DB748885CF91
                                          Function 02B8F465 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 20d55f057fd43ee3a325f78c9dd4a0652d0b864cdd8c44a29268aaa32a98ebea
                                          • Instruction ID: 6d7de7bb96237a406869b9b44bed053567d3d589ba0bac5c193b5215386d46ed
                                          • Opcode Fuzzy Hash: 20d55f057fd43ee3a325f78c9dd4a0652d0b864cdd8c44a29268aaa32a98ebea
                                          • Instruction Fuzzy Hash: AF31C031B002018FDB29AF3485647BE7BE2EF89250F5849A9D406DB786DF34DC46C790
                                          Function 02B8F478 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 28d849db02d97682b77488bfd8ddb1f0a10be65598fdffdd47827c49fed26ac0
                                          • Instruction ID: 1acedaafd45f486a22d1299490211f6b879fdf0e0af61294aa90a52ef6e23163
                                          • Opcode Fuzzy Hash: 28d849db02d97682b77488bfd8ddb1f0a10be65598fdffdd47827c49fed26ac0
                                          • Instruction Fuzzy Hash: 1A31BE30B002058BDB28AF35D5546BE7BE6EB88640F6445ADD40ADB799DF30DC46CBA1
                                          Function 02B86F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 22be0a2bfd7696f6d12e9cf6c1a908a7984620beea7873e929376574f1c5ce6b
                                          • Instruction ID: 0c35dee049c41397fa8b4a17a8b81593a261cd406c36025c9ee71df7136d88ee
                                          • Opcode Fuzzy Hash: 22be0a2bfd7696f6d12e9cf6c1a908a7984620beea7873e929376574f1c5ce6b
                                          • Instruction Fuzzy Hash: 3B318171E102098FDB24EFA9C8507AEFBB5FF85314F20896AE409EB240EB71D845CB40
                                          Function 02B86B68 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 868fcb0a6b6811f4d673f45ebe8db4a0b46d6969e3863f1ea74fe1147e9af526
                                          • Instruction ID: f59295c5721d944afc41ce79cda78177f368cfe70c1a54a76d8b39ccfd196686
                                          • Opcode Fuzzy Hash: 868fcb0a6b6811f4d673f45ebe8db4a0b46d6969e3863f1ea74fe1147e9af526
                                          • Instruction Fuzzy Hash: 2021D1317082808FC716FB7894647AEBFE6EF86310F5489AEC145CB399EA358C46C791
                                          Function 02B8798A Relevance: .6, Instructions: 555COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d715219d30c1737bef6e6be09a5bd995149ca1ced59aeb635afcc1f85712378
                                          • Instruction ID: 0005b94dad1ad0e960ae6641289ab3250cb5ddc057dfb3f66fe2cfbf7224b5a1
                                          • Opcode Fuzzy Hash: 0d715219d30c1737bef6e6be09a5bd995149ca1ced59aeb635afcc1f85712378
                                          • Instruction Fuzzy Hash: E212AC35B00202DBDB25EB38E89472872A2FB95254F608E7ED109CB7A4DF71DC56CB91
                                          Function 02B89760 Relevance: .4, Instructions: 359COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a403b9db68ff2aede7cca9fadd63f87d06c981e523903b8ddbb4475ea293906
                                          • Instruction ID: d7d6046cb35b460261ecbd96c026cfa4d435b26a993c9038650fc35b14367155
                                          • Opcode Fuzzy Hash: 6a403b9db68ff2aede7cca9fadd63f87d06c981e523903b8ddbb4475ea293906
                                          • Instruction Fuzzy Hash: F5C18E75B002058FDF14EF69D8847AEBBB1FB88310F1485AAE909DB395DB70E845CB91
                                          Function 02B89412 Relevance: .3, Instructions: 262COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3858477af8313abca0cc15801d7052d8e756a9d5c2bf9354979b1801b72af34c
                                          • Instruction ID: 0c7fe609c3af9ce7f9fa5391d9d2a4739ece57db1aed09c6052390e07bceaf0c
                                          • Opcode Fuzzy Hash: 3858477af8313abca0cc15801d7052d8e756a9d5c2bf9354979b1801b72af34c
                                          • Instruction Fuzzy Hash: 96A14C38A00605DFDF14EF65D495AADBBB2EF88310F1485A9E90ADB365DB30EC42CB50
                                          Function 02B84A55 Relevance: .3, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8c5c41f04a801f7ef5b85b11a6972d3750d1da96034a274cdfceb7dcdab9ba9
                                          • Instruction ID: c139bae85bb1683df5989e650fba3259ed4a3cfc5ae06bc05236f004526a683d
                                          • Opcode Fuzzy Hash: b8c5c41f04a801f7ef5b85b11a6972d3750d1da96034a274cdfceb7dcdab9ba9
                                          • Instruction Fuzzy Hash: EEA14D70E0020ACFDB14EFA9D8817ADBBF1FF48318F148569D419AB294EB749885CF95
                                          Function 02B86CA4 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8300b7dfe79f4fbc68b581f6e86eba536ef3917802090a9f5759b37dcfcbc579
                                          • Instruction ID: 0c0454f5f2c83fe8172a573bbd0879a598acb77bd7da58a2ce474ed19b8bb132
                                          • Opcode Fuzzy Hash: 8300b7dfe79f4fbc68b581f6e86eba536ef3917802090a9f5759b37dcfcbc579
                                          • Instruction Fuzzy Hash: 215113B1D00218CFDB18DFAAC884B9DBBB5FF48314F14816AE819AB3A5D7749844CF95
                                          Function 02B86CB0 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 064fef1a8597b874526492865567e225d4f39c9b2b4974c75ba231d6cb35eb42
                                          • Instruction ID: 14c92b3531dfe09dc34c7e7c387b1e0e012a1af0ced5f30b40953980db5d490a
                                          • Opcode Fuzzy Hash: 064fef1a8597b874526492865567e225d4f39c9b2b4974c75ba231d6cb35eb42
                                          • Instruction Fuzzy Hash: 6F511571D00218CFDB18DFAAC884B9DBBB5FF48314F148159E819AB3A4D7749844CF95
                                          Function 02B81128 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8ab1eaecd67a2b2ef1a2f9855db414474837ad876065573448b15372f2ec334
                                          • Instruction ID: 887f3c93256a8f0e6e9a0528ad641338a5431689555328008d5446a8b36ff615
                                          • Opcode Fuzzy Hash: b8ab1eaecd67a2b2ef1a2f9855db414474837ad876065573448b15372f2ec334
                                          • Instruction Fuzzy Hash: F6510A37A15241DFC716FF28F8909993BF6BB917047048A6EE1504B36EFB306906DBA1
                                          Function 02B81138 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f455d26c622cdbb6124d4cccd730a5f6804300346b3b1379f0c3a949c255829f
                                          • Instruction ID: d41c6ee24dceff620d0a5a0bdb3c452a20f89d5367aa01d0c98fadae10bd42f0
                                          • Opcode Fuzzy Hash: f455d26c622cdbb6124d4cccd730a5f6804300346b3b1379f0c3a949c255829f
                                          • Instruction Fuzzy Hash: FE410C37A01241DFC716FF28F8909993BF6B7917057048A6ED1504B32EFB306906DBA1
                                          Function 02B8F328 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5919f4e94fc593cbb6ba80c127d6165e1670d709887b88273c10c81a59b32e8
                                          • Instruction ID: d2419d9b3b58c814a7fae3e3a056c419694356ce11545c3d01e81dd4182d4207
                                          • Opcode Fuzzy Hash: c5919f4e94fc593cbb6ba80c127d6165e1670d709887b88273c10c81a59b32e8
                                          • Instruction Fuzzy Hash: EF316E34A002059BDB15DF74D8946AEBBB2FF89300F54C569E80AE7754EB74EC46CB40
                                          Function 02B826A5 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a19fa1348710c7f06593b3acd6b8bd53a2ef6c2ae10e7ac75f4d858a3dc453b
                                          • Instruction ID: ff889e392b77e453875ac4b4517e3133a2ed1df2cc94b910c031a36709e68987
                                          • Opcode Fuzzy Hash: 9a19fa1348710c7f06593b3acd6b8bd53a2ef6c2ae10e7ac75f4d858a3dc453b
                                          • Instruction Fuzzy Hash: 2B4102B4D00348DFEB14DFAAC884ADEBBF1BF48304F208029E809AB250DB759945CF95
                                          Function 02B8F338 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0768c9378498b97a45fedb6a886350a13dbbbcdfba4f6aec865bccce7d27036
                                          • Instruction ID: b48c2f0fa6945c3dbd1196bb2cd457e22cae800deab7dc6d57504d3db5a4f5df
                                          • Opcode Fuzzy Hash: b0768c9378498b97a45fedb6a886350a13dbbbcdfba4f6aec865bccce7d27036
                                          • Instruction Fuzzy Hash: 69317C34E102059BCB18DF69D8946AEBBB2FF89300F54C529E90AE7744EB70EC46CB50
                                          Function 02B85061 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a80682b045077d9886e2ba999fa6e3b59a8e70bf7951ccfd4536b4b342e79a3
                                          • Instruction ID: 896e8bcf643f003d4a23aee1c36b08a0beee02a4e991f199f45fff42fe8e64e1
                                          • Opcode Fuzzy Hash: 0a80682b045077d9886e2ba999fa6e3b59a8e70bf7951ccfd4536b4b342e79a3
                                          • Instruction Fuzzy Hash: F3311A31A00214CFDB29FB78C9547AD77B2AF49304F9104ACD40AAB394EB36DD42CBA1
                                          Function 02B826B0 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24724c86c2da8b893e52c5bd99b463e141eab118288ac8c8e68f9eeb0b4da558
                                          • Instruction ID: 4953e1a1d19a980049aebd90ebb21c22c4c89f06ea72da1a0cea25e4b3896449
                                          • Opcode Fuzzy Hash: 24724c86c2da8b893e52c5bd99b463e141eab118288ac8c8e68f9eeb0b4da558
                                          • Instruction Fuzzy Hash: D541E0B5D00348DFDB14DFAAC484ADEBBF5BF48314F108029E809AB250DB759945CB95
                                          Function 02B85070 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc57d6e8fd9f2e7754d5934bfb654b1511eb16d1582b521e8e9d8739b006a1e8
                                          • Instruction ID: 68e96fc0918e86d55b5dada61303affb3e167aaa0bce01f98794c8c882a08a27
                                          • Opcode Fuzzy Hash: bc57d6e8fd9f2e7754d5934bfb654b1511eb16d1582b521e8e9d8739b006a1e8
                                          • Instruction Fuzzy Hash: F1311A31A00214CFDB25FB78C954BAE77B2EB49304F5104ACD40AAB394EB36DC41CBA1
                                          Function 02B892D1 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16529169a6514d8fd75244fff01c937d92fe22116d68a31ba709a20c01884429
                                          • Instruction ID: 685bc3bcf16a71016d5709b1d98c7d4c0f5f04d12b61e47eb95ace7d3e9c35af
                                          • Opcode Fuzzy Hash: 16529169a6514d8fd75244fff01c937d92fe22116d68a31ba709a20c01884429
                                          • Instruction Fuzzy Hash: BD316D31A006069BDB15DF64D4907EEBBB2EF89304F10C659E906EB345EB719846CB50
                                          Function 02B8166A Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41681b9551f19c033b34ccc94e22e69d0ad0d2d0752b1ed4663b86e9888fe4c6
                                          • Instruction ID: 480b918c2c3c9e53c92657dbe17b7b7444a10172f62a9572bc7712a769e242cb
                                          • Opcode Fuzzy Hash: 41681b9551f19c033b34ccc94e22e69d0ad0d2d0752b1ed4663b86e9888fe4c6
                                          • Instruction Fuzzy Hash: AA31B479911200DBDB22FB38E8447A937E5EB45314F144AA9D04ECB769FB34D847CB61
                                          Function 02B8133F Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e799519b2f04b862820017c8eac91ec05168aa2580ae47e9656da4a2a02862c3
                                          • Instruction ID: c7898ccbe8c6a3a97088aad7e51160e69303d8ad60e858b96dcafc2b2855b077
                                          • Opcode Fuzzy Hash: e799519b2f04b862820017c8eac91ec05168aa2580ae47e9656da4a2a02862c3
                                          • Instruction Fuzzy Hash: 4D21D375A12201DBEF32B62CE85876C3792EB42314F448AB9E10ECB744EB349847CB52
                                          Function 02B87059 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44214c38bf8c93b8fe139751ec3c709a16acae81e15606a02d9b64016100bbc7
                                          • Instruction ID: 7247c21114ebd3c505af70822b6f7ddba1822ec08890abf7366d38da60f50175
                                          • Opcode Fuzzy Hash: 44214c38bf8c93b8fe139751ec3c709a16acae81e15606a02d9b64016100bbc7
                                          • Instruction Fuzzy Hash: A2210A35B00214CFD705EB78D85476E77B6AB88710B60846CE5068B3ACDE35DC42CBA4
                                          Function 02B892E0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44fdc54320141c3141c82657a36738501683b230bbe78b1c28a6416dced3812c
                                          • Instruction ID: b197fd99df0dda3e8a64b18b9ddae5959b887af7affbcd40a13673ed005bfbd8
                                          • Opcode Fuzzy Hash: 44fdc54320141c3141c82657a36738501683b230bbe78b1c28a6416dced3812c
                                          • Instruction Fuzzy Hash: 7D214F31A106059BDF15DF65D8907AEB7B6FF89300F10C659E909EB344EB709846CB50
                                          Function 02B81450 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e0ad96ae6c0ae734d62456d27b21ef96a50d76cdfffee43cfb0c36125b0ffab
                                          • Instruction ID: 561133d02a7d1b0096fde581c157bfc1c67c8767744d761268b09d5df354f609
                                          • Opcode Fuzzy Hash: 0e0ad96ae6c0ae734d62456d27b21ef96a50d76cdfffee43cfb0c36125b0ffab
                                          • Instruction Fuzzy Hash: CC21AC32A122519FDF22BABC84903ED7BA1EB46264F1D44EAC44CD7202E7358983CB55
                                          Function 02B891D0 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e18a5ffec03661d19ff39d705d76d1b97e8a3a3a69217d6be259847c25ac493d
                                          • Instruction ID: 43bc2e90bce100177a1eec47341ba1508c276f2cae031beb13f95fdad47255c4
                                          • Opcode Fuzzy Hash: e18a5ffec03661d19ff39d705d76d1b97e8a3a3a69217d6be259847c25ac493d
                                          • Instruction Fuzzy Hash: AE214C31E006099BDF19DFA8C454AAEB7B2EF89310F10895AED59BB340EB709D46CB51
                                          Function 02B8178A Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9203db79df9d898c48b439310114659266ec461d020afec30f8184de861bb7eb
                                          • Instruction ID: 8e2104aaa225b18cd9ea2cb83eab4e91f8ea7796f6398a26184a8ffd24b5c0a4
                                          • Opcode Fuzzy Hash: 9203db79df9d898c48b439310114659266ec461d020afec30f8184de861bb7eb
                                          • Instruction Fuzzy Hash: C7219676F51211CBDB51AA7CA8047AE3BE6EB48350F104A69D50DD3358E734D816CB91
                                          Function 02B81840 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1f2c75ec58c08919b11a7eba68600af42829fc7706e56bf86bb8a9c53ab0e0e
                                          • Instruction ID: e8511507127a7b52fa860703a751d9c514aa31e04b2a73be885294fc27ecc8a9
                                          • Opcode Fuzzy Hash: e1f2c75ec58c08919b11a7eba68600af42829fc7706e56bf86bb8a9c53ab0e0e
                                          • Instruction Fuzzy Hash: 55216031A15204CFDB14EB78C5597AD77F2EB49305F1005A8D50EEB390DB759D02CB61
                                          Function 02B84F51 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 069a0438b11e07ddb47eeacda6e23155eb6155c2ff07d858869f6d620356ebfc
                                          • Instruction ID: d5f20b11266fe244e72e4c1512da780ead1090b74687a7c82a5bf24d62eb8beb
                                          • Opcode Fuzzy Hash: 069a0438b11e07ddb47eeacda6e23155eb6155c2ff07d858869f6d620356ebfc
                                          • Instruction Fuzzy Hash: C3212C31B00249CFDB68EB78D558BAD77F2EB48304F1144A8E40AEB364DB359D02CB51
                                          Function 0130D394 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77f0799f6f6f1467fda6ad7c11c571f36e505df158bb66bf296e805079f13b89
                                          • Instruction ID: d430d71983dd24d5eec0ed70326a8887c81cba70ccb9a69121b4aad00878ecec
                                          • Opcode Fuzzy Hash: 77f0799f6f6f1467fda6ad7c11c571f36e505df158bb66bf296e805079f13b89
                                          • Instruction Fuzzy Hash: 4B21F571604304EFDB16DFA4D5D0B25BBE5FB84318F20C5ADE80A5B692C736E446CA62
                                          Function 0130D1E4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 937173f5af34f3d68685830c95432bca567219699d1f85b69f30f4e9188f4b7a
                                          • Instruction ID: 447a2df1dbae0d3374a261fa99d1d93a45c907f13d5d1978173c3a057b224721
                                          • Opcode Fuzzy Hash: 937173f5af34f3d68685830c95432bca567219699d1f85b69f30f4e9188f4b7a
                                          • Instruction Fuzzy Hash: A3212671504304EFDB16DFD4D5D0B26BBE9FB84328F20C669E8090B686C336D446CAA2
                                          Function 0130D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ded5b2f9a02194a87a1961fa455f930cd1cee1a88414717e296f3a5f24ce768d
                                          • Instruction ID: bb5c7616050c180e94fb7a6e129f325a86bd6590af3a739d43d32193e0503eec
                                          • Opcode Fuzzy Hash: ded5b2f9a02194a87a1961fa455f930cd1cee1a88414717e296f3a5f24ce768d
                                          • Instruction Fuzzy Hash: 8C210071604204EFDB16DFA4D990B16BBE5FB84318F20C56DE80E4B686C336D447CA62
                                          Function 02B891E0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6df4590923ed11083e8200de3a8b49580b41b4eb7a272b3360508e3a3c8912b0
                                          • Instruction ID: 590030b717cd12d7e060ecb2a8881938363f5512fd8e180149be46b94e9c20a1
                                          • Opcode Fuzzy Hash: 6df4590923ed11083e8200de3a8b49580b41b4eb7a272b3360508e3a3c8912b0
                                          • Instruction Fuzzy Hash: 95214F31E006099BDB18DFA8C454AAEB7B6EF89310F108A5AED19B7350EB709D45CB51
                                          Function 02B81850 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a5d263e033fe2652cbbebd91802d44c1cbe744a8b616b65b9f95ecde25b6a91
                                          • Instruction ID: 5d12092e678c51b50af5570b00e377036a1abedfe1940ff0ff54e3e9724e3e36
                                          • Opcode Fuzzy Hash: 3a5d263e033fe2652cbbebd91802d44c1cbe744a8b616b65b9f95ecde25b6a91
                                          • Instruction Fuzzy Hash: 0E213C31B11205CFDB14EB69C5597AE77F6EB89305F1004A8D50EEB394EB369D02CBA1
                                          Function 02B81678 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b15dc424c74925b0a4728e9142e5de8c8172390b272502dbc6a723f610be2ba
                                          • Instruction ID: 76006afcce29c446f08f31fbf04da65c20d96b36856687aba90f64814dcb709e
                                          • Opcode Fuzzy Hash: 0b15dc424c74925b0a4728e9142e5de8c8172390b272502dbc6a723f610be2ba
                                          • Instruction Fuzzy Hash: B5212E79A51200DBDF22FB78E884B9937A5EB45314F104A65D00ECB799FB34E846CBA1
                                          Function 02B84F60 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af2c6a0693a6f5f079988fa36007cb3143d3b09e2a79cfea0aa1981b3ea821ca
                                          • Instruction ID: 23901dae7a11aeee05d65739764fcf8dc14a5db2d0179c4873a96f4b93c23668
                                          • Opcode Fuzzy Hash: af2c6a0693a6f5f079988fa36007cb3143d3b09e2a79cfea0aa1981b3ea821ca
                                          • Instruction Fuzzy Hash: 4C21E931B00209CFDB68EB78C558B9D77F5EB49304F1144A8E40AEB3A4EB359D41CB61
                                          Function 02B80838 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c16d2b3d172efbefd083ab294788a9189cd68a7615cb6d914b46bd4de71a671a
                                          • Instruction ID: 0d29153e6fc3a8d849f03ae4a45b7d92e9de8cd731a526d379af7dca94f7dc49
                                          • Opcode Fuzzy Hash: c16d2b3d172efbefd083ab294788a9189cd68a7615cb6d914b46bd4de71a671a
                                          • Instruction Fuzzy Hash: 5111E730A043049BEF267675C84437A37A5EB42290F144CBAD54ACF241EB24E8C9CBD2
                                          Function 02B80848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b84adde1dadb74149110af75e525e6e78d23f46101c0a3a4d626909bd1e9530
                                          • Instruction ID: 8a8d11a0074203781233b5cf8dbd00c8e4bee7c8ff7bf895471fdc31addb2384
                                          • Opcode Fuzzy Hash: 6b84adde1dadb74149110af75e525e6e78d23f46101c0a3a4d626909bd1e9530
                                          • Instruction Fuzzy Hash: 4611A334B002098BEF65BA79C84436A3295FB46290F204CB9D10ACF340EB71ECC9CBD1
                                          Function 02B81460 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ccd9a0f1bcc8df11ec68f5fc5795c397172f4e82f7b92d09606732efd038f785
                                          • Instruction ID: 1a4c04d9e5969a0a1408200fa5e8ca4dbf2b6129645d76734065e709a1278df4
                                          • Opcode Fuzzy Hash: ccd9a0f1bcc8df11ec68f5fc5795c397172f4e82f7b92d09606732efd038f785
                                          • Instruction Fuzzy Hash: 30012D31A122168BCF21FFBD84506AD7BF5EB48264B1848BAD40DE7241E735D942CF91
                                          Function 0130D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction ID: 56b9439e89daa023a33d6490b1a51e396eb033f3195bc4db21ae409580bb0c39
                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction Fuzzy Hash: 3411BB75504280CFCB12CF94D9D4B15BBA2FB84318F24C6AAD8094B696C33AD40ACBA2
                                          Function 0130D1DF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                          • Instruction ID: 6d6097856c5fb85f21ec2f35ddf1c3785deb4e84fc360aa26ab234647c177aaa
                                          • Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                          • Instruction Fuzzy Hash: 20119075504280CFDB12CF94D5D4B15FBA1FB84328F24C6A9D8494B696C33AD446CB91
                                          Function 0130D38F Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740263678.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_130d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction ID: 62d643bf0c4b658bdebb8458cc6f5026d3626f70a74828f3532004b60053126b
                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction Fuzzy Hash: 0611DD75504280DFCB12CFA4D5D4B15BFB1FB84318F24C6A9D84A4BA93C33AE44ACB62
                                          Function 012FD89D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740201005.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_12fd000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 528499a7b2b2b499e364bc07be5394e0b13f0bc797912d528ef8bdfc53ddca02
                                          • Instruction ID: c9dadfa5c978eaa15647a8c9e76e1af1fc54f51379ac83e1414e6860fa5c6db0
                                          • Opcode Fuzzy Hash: 528499a7b2b2b499e364bc07be5394e0b13f0bc797912d528ef8bdfc53ddca02
                                          • Instruction Fuzzy Hash: 4D01A7714143489FE7204AA6DC84766FBD8DF45624F14852DEF591B282C2759845CAB2
                                          Function 02B88170 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72f18ca72726e8e6ffc582f58f3ae7f6de1001e4bb58316ea655b0cd7251e45b
                                          • Instruction ID: 3087fadb5fbfb60e8b55c827426d7deb52098181e9ba5c5d5ac10d6e6b1d163c
                                          • Opcode Fuzzy Hash: 72f18ca72726e8e6ffc582f58f3ae7f6de1001e4bb58316ea655b0cd7251e45b
                                          • Instruction Fuzzy Hash: 86011A34A11249EFDB06EBB4E994A9C7FF1EF40240F5046A9C5049B259EB31AA06DB51
                                          Function 012FD89C Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740201005.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_12fd000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29f8671e2f1f84679f1623ec5ad9b22d369214e9bad719d44d1d311bb50a8299
                                          • Instruction ID: 8b8d442348e7b924d0cdff760990175e5cfbbeb62334714faf5f7c724d96a670
                                          • Opcode Fuzzy Hash: 29f8671e2f1f84679f1623ec5ad9b22d369214e9bad719d44d1d311bb50a8299
                                          • Instruction Fuzzy Hash: BAF0F6710043489EE7208E5ADC88B62FFD8EB41734F18C15EEE580F283C3789844CAB1
                                          Function 02B814EC Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 003285a2722f80f36f453417cafae3be1b8448171a22516a522a001e9125922b
                                          • Instruction ID: 72910957bda09c7a7dc5d40b7da2ea947ce6160f51bda1bdf633a353b307b74f
                                          • Opcode Fuzzy Hash: 003285a2722f80f36f453417cafae3be1b8448171a22516a522a001e9125922b
                                          • Instruction Fuzzy Hash: 27F0F633E061508BDB21ABAC84902EC7BB1EB8527571D40DBD80DDB611D734D503CF11
                                          Function 02B88180 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.3740642274.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_13_2_2b80000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa50fba92df3519ef37cdc45ee16fe3818e14e7f5246d7f5b78c6fb244316394
                                          • Instruction ID: dff688f4400adaf42f6e41d57a4248e949b02d63ad83727cd9ab585f710c8ca0
                                          • Opcode Fuzzy Hash: aa50fba92df3519ef37cdc45ee16fe3818e14e7f5246d7f5b78c6fb244316394
                                          • Instruction Fuzzy Hash: E4F0F634E10209EFDB05FBB8E990A9DBBF5EB40240F50466985049B259EA306E09DBA1